CVE-2020-11112
Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-11112 About?
This Deserialization vulnerability in FasterXML jackson-databind allows attackers to bypass security mechanisms due to mishandling of serialization gadgets and typing, specifically involving `org.apache.commons.proxy.provider.remoting.RmiProvider`. Such exploitation can lead to arbitrary code execution or denial of service, and it typically requires a specially crafted serialized object, making exploitation moderately complex.
Affected Software
Technical Details
The vulnerability in FasterXML jackson-databind 2.x before 2.9.10.4 arises from an insecure interaction between serialization gadgets and the library's typing mechanisms. Specifically, the component `org.apache.commons.proxy.provider.remoting.RmiProvider` (found in apache/commons-proxy) can be leveraged during deserialization. An attacker can craft a malicious serialized object that, when deserialized by a vulnerable jackson-databind application, instantiates the `RmiProvider` and subsequently triggers unintended behavior or arbitrary code execution. This is often achieved by exploiting unexpected gadget chains where a legitimate class's methods are called during deserialization in a harmful sequence, bypassing type checks or other security controls implemented by jackson-databind.
What is the Impact of CVE-2020-11112?
Successful exploitation may allow attackers to execute arbitrary code, bypass security restrictions, achieve denial of service, or perform remote code execution.
What is the Exploitability of CVE-2020-11112?
Exploitation typically requires an attacker to provide a specially crafted serialized object to the vulnerable application. This usually involves moderate complexity, as the attacker needs to understand the application's deserialization points and identify suitable gadget chains. No authentication is generally required if the deserialization endpoint is publicly accessible. Privilege requirements are often those of the vulnerable application itself. This is typically a remote attack, as the payload is sent over the network. Special conditions include the presence of `org.apache.commons.proxy.provider.remoting.RmiProvider` on the classpath and the use of a vulnerable jackson-databind version. An increased likelihood of exploitation occurs when applications accept serialized data from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-11112?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/FasterXML/jackson-databind/issues/2666
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://osv.dev/vulnerability/GHSA-58pp-9c76-5625
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
What are Similar Vulnerabilities to CVE-2020-11112?
Similar Vulnerabilities: CVE-2020-11111 , CVE-2020-10673 , CVE-2019-14540 , CVE-2019-12814 , CVE-2018-7489
