CVE-2020-10968
Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-10968 About?
This is a deserialization vulnerability in FasterXML jackson-databind 2.x before 2.9.10.4, caused by improper handling of serialization gadgets and typing when `org.aoju.bus.proxy.provider.remoting.RmiProvider` classes are present. It enables remote code execution if a vulnerable gadget chain exists. Exploitation typically requires specific conditions and a crafted input payload.
Affected Software
Technical Details
The vulnerability in FasterXML jackson-databind arises from an incomplete blacklist or insufficient control over polymorphic typing, specifically affecting the `org.aoju.bus.proxy.provider.remoting.RmiProvider` class. Attackers can craft a malicious JSON payload that, when deserialized by a vulnerable `jackson-databind` instance, instantiates and exploits this RMI provider as a deserialization gadget. This leads to the execution of arbitrary code through the gadget's constructor or methods during the deserialization process. The flaw permits the bypassing of existing security measures designed to prevent the instantiation of dangerous classes from untrusted input.
What is the Impact of CVE-2020-10968?
Successful exploitation may allow attackers to achieve arbitrary code execution, denial of service, or information disclosure on the affected system.
What is the Exploitability of CVE-2020-10968?
Exploitation of this `jackson-databind` deserialization vulnerability is of moderate to high complexity. It necessitates the ability to send crafted JSON objects to an application utilizing a vulnerable `jackson-databind` version. A critical prerequisite is the presence of the `org.aoju.bus.proxy.provider.remoting.RmiProvider` class on the application's classpath, which serves as the exploitable 'gadget'. Authentication is generally not a factor if the deserialization endpoint is externally accessible. This is a remote attack vector, and its success hinges on the application processing untrusted serialized data without adequate type filtering or validation. The existence of such a gadget significantly increases the likelihood of a successful remote code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10968?
About the Fix from Resolved Security
The patch adds several new class names to the blocklist of SubTypeValidator to prevent them from being deserialized, addressing potential deserialization gadgets in third-party libraries. By disallowing deserialization of these dangerous classes, it mitigates exploitation avenues for remote code execution or other attacks via unsafe polymorphic deserialization, thus fixing the vulnerability CVE-2020-10968.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://github.com/FasterXML/jackson-databind/issues/2662
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://github.com/FasterXML/jackson-databind/issues/2662
What are Similar Vulnerabilities to CVE-2020-10968?
Similar Vulnerabilities: CVE-2020-11111 , CVE-2019-20330 , CVE-2020-11620 , CVE-2019-14540 , CVE-2017-7525
