CVE-2020-11113
Serialization Gadgets vulnerability in jackson-databind (Maven)
What is CVE-2020-11113 About?
This vulnerability in FasterXML jackson-databind concerns improper handling of interactions between serialization gadgets and typing, specifically related to `org.apache.openjpa.ee.WASRegistryManagedRuntime`. This can lead to remote code execution or denial of service, making its impact high. Exploitation relies on specific deserialization attack patterns, which can be relatively easy for an attacker with knowledge of Java deserialization.
Affected Software
Technical Details
The vulnerability exists in FasterXML jackson-databind 2.x before 2.9.10.4 and is related to the interaction between serialization gadgets and polymorphic typing. Specifically, it mishandles the org.apache.openjpa.ee.WASRegistryManagedRuntime (also known as openjpa) gadget. When jackson-databind processes untrusted input in a deserialization context with polymorphic typing enabled, an attacker can craft a malicious serialized object that, when deserialized, will execute arbitrary code or trigger other harmful actions within the application. This is typically achieved by leveraging a gadget chain, where the WASRegistryManagedRuntime class acts as a key component, allowing the attacker to bypass security restrictions and execute commands on the underlying system.
What is the Impact of CVE-2020-11113?
Successful exploitation may allow attackers to achieve remote code execution, perform unauthorized actions, or cause a denial of service on the affected system.
What is the Exploitability of CVE-2020-11113?
Exploitation of this deserialization vulnerability typically involves a moderate level of complexity. Prerequisites include the application accepting untrusted serialized data (e.g., JSON with polymorphic typing enabled) and the org.apache.openjpa library being present in the classpath. Authentication requirements depend on whether the deserialization endpoint is protected; if it's an API endpoint accepting JSON, it might require authentication, but often deserialization occurs in contexts accessible without specific user authentication. No specific privilege requirements are mentioned, as the vulnerability is at the application and library level. This is generally a remote attack, where an attacker sends a specially crafted payload. The likelihood of exploitation is increased if the application developers are unaware of the dangers of deserializing untrusted input or if security filters for known gadgets are outdated or incomplete.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2020-11113:Jackson-databind RCE |
What are the Available Fixes for CVE-2020-11113?
About the Fix from Resolved Security
The patch expands the blacklist in SubTypeValidator to include additional gadget classes known to allow remote code execution via unsafe deserialization when used with Jackson's polymorphic type handling. By forbidding these risky classes, it prevents attackers from exploiting them for arbitrary code execution, thereby mitigating CVE-2020-11113.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/FasterXML/jackson-databind/issues/2670
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://osv.dev/vulnerability/GHSA-9vvp-fxw6-jcxr
- https://nvd.nist.gov/vuln/detail/CVE-2020-11113
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2020-11113?
Similar Vulnerabilities: CVE-2019-12384 , CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2020-8840
