CVE-2020-11620
Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-11620 About?
This vulnerability is a deserialization flaw in FasterXML jackson-databind 2.x before 2.9.10.4, specifically concerning `org.apache.commons.jelly.impl.Embedded`. It enables remote code execution by mishandling serialization gadgets and typing during deserialization. Exploitation necessitates a vulnerable gadget environment and a crafted input payload.
Affected Software
Technical Details
The FasterXML jackson-databind library, in versions prior to 2.9.10.4, has an incomplete blacklist or improper handling of polymorphic typing when processing classes related to `org.apache.commons.jelly.impl.Embedded` (from `commons-jelly`). An attacker can exploit this by crafting a malicious JSON payload that, upon deserialization by `jackson-databind`, instantiates and abuses the `Embedded` class as a deserialization gadget. This gadget can then trigger arbitrary code execution within the context of the application by invoking its constructor or methods. The attack vector relies on the application processing untrusted serialized data without adequate type filtering.
What is the Impact of CVE-2020-11620?
Successful exploitation may allow attackers to achieve arbitrary code execution, denial of service, or information disclosure on the affected system.
What is the Exploitability of CVE-2020-11620?
Exploitation of this jackson-databind deserialization vulnerability is of moderate to high complexity. It requires an attacker to transmit malicious serialized data (JSON) to an application that employs a vulnerable `jackson-databind` version. The presence of the `org.apache.commons.jelly.impl.Embedded` class from the `commons-jelly` library on the application's classpath is a prerequisite, as it functions as the exploitable 'gadget'. Authentication is usually not an obstacle if the deserialization endpoint is network-accessible. This is a remote attack. The likelihood of successful exploitation increases in applications that process untrusted external JSON data and have a wide range of dependencies/libraries on their classpath that could contain useful gadgets.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-11620?
About the Fix from Resolved Security
The patch blocks additional dangerous classes in the SubTypeValidator, adding their names to a denylist that prevents their use during polymorphic deserialization. This mitigates the gadget chain attack exploited by CVE-2020-11620, in which unsafe deserialization of these classes could allow arbitrary code execution or other malicious behavior, thereby closing the attack vector.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://github.com/FasterXML/jackson-databind/issues/2682
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-11620
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200511-0004
- https://security.netapp.com/advisory/ntap-20200511-0004/
What are Similar Vulnerabilities to CVE-2020-11620?
Similar Vulnerabilities: CVE-2020-11111 , CVE-2019-20330 , CVE-2020-10968 , CVE-2019-14540 , CVE-2017-7525
