CVE-2020-10672: Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2020-10672 About?

This vulnerability in FasterXML jackson-databind 2.x before 2.9.10.4 involves mishandling serialization gadgets, specifically related to 'org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory'. It can lead to remote code execution due to improper interaction between serialization and typing. Exploitation is possible if an attacker can provide crafted serialized data.

Affected Software

com.fasterxml.jackson.core:jackson-databind >2.9.0, <2.9.10.4

Technical Details

FasterXML jackson-databind versions 2.x before 2.9.10.4 are vulnerable to deserialization of untrusted data, specifically through the `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka aries.transaction.jms) gadget. When the `ObjectMapper` is configured for polymorphic deserialization (e.g., `enableDefaultTyping()`), an attacker can craft a malicious JSON payload. This payload includes a type designator that points to the vulnerable `XaPooledConnectionFactory` class. Within the JSON, the attacker can specify properties that, when deserialized, trigger unwanted actions or code execution. The vulnerability exploits the fact that Jackson-databind attempts to instantiate and configure objects based on the provided type and properties, allowing an attacker to leverage the connection factory's logic to execute arbitrary code or cause other detrimental effects on the system.

What is the Impact of CVE-2020-10672?

Successful exploitation may allow attackers to execute arbitrary code, achieve denial of service, or leak sensitive information, depending on the capabilities exposed by the deserialized gadget.

What is the Exploitability of CVE-2020-10672?

Exploitation of this vulnerability is of moderate complexity, necessitating the ability to send specially crafted serialized data (e.g., JSON) to an application using vulnerable versions of jackson-databind with polymorphic type handling enabled. There are no specific authentication or privilege requirements for the exploit itself, beyond the means to deliver the malicious payload to the target. This is typically a remote exploitation scenario. A crucial prerequisite is that the application's classpath must include the `aries.transaction.jms` library. The risk of exploitation is heightened when applications deserialize untrusted data without proper validation, especially in environments where `jackson-databind` is widely used with default typing enabled.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2020-10672?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch adds the org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory class to a denylist that prevents certain classes from being deserialized by default. This prevents exploitation of CVE-2020-10672, which is a remote code execution vulnerability caused by unsafe deserialization of this class using Jackson, by blocking its use in polymorphic deserialization.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-10672?

Similar Vulnerabilities: CVE-2020-10673 , CVE-2020-14061 , CVE-2019-12384 , CVE-2019-14540 , CVE-2019-14439

CVE-2020-10672 Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind