CVE-2020-11111
Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-11111 About?
This is a deserialization vulnerability in FasterXML jackson-databind 2.x before 2.9.10.4, arising from mishandling the interaction between serialization gadgets and typing. It allows remote code execution when vulnerable classes related to Apache ActiveMQ are present in the classpath. Exploitation generally requires specific conditions and vulnerable gadget chains.
Affected Software
Technical Details
The vulnerability in FasterXML jackson-databind exists due to an incomplete blacklist or improper handling of polymorphic typing, specifically when interacting with serialization gadgets related to `org.apache.activemq.*` classes. Attackers can leverage this by sending a specially crafted JSON payload that, when deserialized by jackson-databind, instantiates a vulnerable ActiveMQ gadget. This gadget can then execute arbitrary code through its constructor or methods upon deserialization. The issue stems from the library's inability to properly restrict the types that can be instantiated during deserialization, allowing malicious objects to be created and their methods invoked.
What is the Impact of CVE-2020-11111?
Successful exploitation may allow attackers to achieve arbitrary code execution, denial of service, or information disclosure on the affected system.
What is the Exploitability of CVE-2020-11111?
Exploitation of this deserialization vulnerability is of moderate to high complexity, typically requiring an attacker to have the ability to send arbitrary serialized data to a Java application using `jackson-databind`. Prerequisites include a vulnerable version of `jackson-databind` and the presence of specific 'gadget' classes (e.g., ActiveMQ related classes) on the application's classpath that can be abused for code execution. No authentication is typically required if the deserialization endpoint is publicly accessible, but network access to the vulnerable service is necessary. It's a remote attack vector. The likelihood of exploitation increases if the application commonly processes untrusted JSON input and has a rich classpath containing known deserialization gadgets.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-11111?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://github.com/FasterXML/jackson-databind/issues/2664
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://nvd.nist.gov/vuln/detail/CVE-2020-11111
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
What are Similar Vulnerabilities to CVE-2020-11111?
Similar Vulnerabilities: CVE-2020-35490 , CVE-2020-35728 , CVE-2020-35729 , CVE-2020-35730 , CVE-2020-10650
