CVE-2019-12384: Polymorphic Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2019-12384 About?

FasterXML jackson-databind 2.x before 2.9.9.1 is vulnerable to various impacts due to a failure to block the `logback-core` class from polymorphic deserialization. Depending on the classpath, this can lead to remote code execution. Exploitation requires specific conditions and classpath contents.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9.1
- >2.8.0, <2.8.11.4
- >2.7.0, <2.7.9.6
- >2.0.0, <2.6.7.3

Technical Details

The vulnerability in FasterXML jackson-databind 2.x before 2.9.9.1 stems from its failure to adequately block polymorphic deserialization of the `logback-core` class. When polymorphic deserialization is enabled or implicitly used, an attacker can craft a malicious JSON payload specifying a gadget class from `logback-core`. During the deserialization process, `jackson-databind` will instantiate this attacker-specified class. If `logback-core` contains methods or properties that can be exploited (e.g., by triggering JNDI lookups or other external interactions), this can lead to arbitrary code execution, especially if other 'gadget' classes are present on the application's classpath.

What is the Impact of CVE-2019-12384?

Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data theft, or denial of service, depending on the classpath content.

What is the Exploitability of CVE-2019-12384?

Exploitation is complex and requires specific conditions: a vulnerable `jackson-databind` version, the `logback-core` library on the classpath, and a misconfigured polymorphic deserialization setup. It's a remote exploitation vector if the application accepts untrusted data for deserialization. No prior authentication is needed for the deserialization endpoint itself if it's publicly exposed. The attacker must craft a specific JSON payload leveraging the `logback-core` gadget. The impact and ease of exploit depend heavily on other libraries present on the classpath that can be chained as gadgets. Risk factors include using default or overly permissive `jackson-databind` configurations and outdated library versions in internet-facing applications.

What are the Known Public Exploits?

PoC Author	Link	Commentary
jas502n	Link	Jackson Rce For CVE-2019-12384
MagicZer0	Link	CVE-2019-12384 漏洞测试环境

What are the Available Fixes for CVE-2019-12384?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch adds ch.qos.logback.core.db.DriverManagerConnectionSource to the denylist of classes blocked from polymorphic deserialization. This prevents exploitation of CVE-2019-12384 by disallowing deserialization of this class, which could otherwise be abused as a gadget for remote code execution.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.3 → Upgrade to 2.6.7.3
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.6 → Upgrade to 2.7.9.6
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.4 → Upgrade to 2.8.11.4
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9.1 → Upgrade to 2.9.9.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-12384?

Similar Vulnerabilities: CVE-2019-14893 , CVE-2019-17267 , CVE-2017-7525 , CVE-2018-7489 , CVE-2020-36518

CVE-2019-12384 Polymorphic Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind