CVE-2020-14060
Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-14060 About?
This Deserialization vulnerability in FasterXML jackson-databind 2.x before 2.9.10.5 involves mishandling of serialization gadgets and typing, specifically related to `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka apache/drill). Exploitation can lead to arbitrary code execution or denial of service through specially crafted serialized objects, with moderate complexity due to reliance on specific gadget chains.
Affected Software
Technical Details
The vulnerability in FasterXML jackson-databind 2.x before 2.9.10.5 arises from an insecure interaction between serialization gadgets and the library's typing mechanisms, leading to arbitrary code execution during deserialization. Specifically, the class `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (related to apache/drill) can be exploited as a deserialization gadget. An attacker can craft a malicious serialized object that, when deserialized by a vulnerable jackson-databind application, instantiates `JNDIConnectionPool` and triggers a JNDI lookup. This lookup can be directed to an attacker-controlled server, leading to the loading and execution of arbitrary code, bypassing typical security controls.
What is the Impact of CVE-2020-14060?
Successful exploitation may allow attackers to execute arbitrary code, bypass security restrictions, achieve denial of service, or perform remote code execution.
What is the Exploitability of CVE-2020-14060?
Exploitation of this vulnerability requires an attacker to send a specially crafted serialized object to the vulnerable application. The complexity is moderate, as it involves understanding the specific gadget chain for `JNDIConnectionPool` and the underlying JNDI lookup mechanism. No authentication is typically needed if the deserialization endpoint is publicly accessible. This is generally a remote attack. Privilege requirements are usually those of the vulnerable application's process. The primary conditions for exploitation are the presence of the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` class (or related `apache/drill` components) on the classpath and the use of an affected jackson-databind version. Applications that deserialize untrusted data without proper validation exacerbate the risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-14060?
About the Fix from Resolved Security
This patch updates the denylist in SubTypeValidator.java to include several additional class names known to introduce unsafe deserialization behaviors. By explicitly blocking these gadget classes from being deserialized, the patch addresses the gadget chain exploitation risk described in CVE-2020-14060, preventing attackers from leveraging these classes for remote code execution during polymorphic deserialization.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.5 → Upgrade to 2.9.10.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/FasterXML/jackson-databind/issues/2688
- https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921
- https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2020-14060?
Similar Vulnerabilities: CVE-2020-14195 , CVE-2020-11112 , CVE-2020-10650 , CVE-2019-14540 , CVE-2018-7489
