CVE-2020-14061
Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-14061 About?
This vulnerability in FasterXML jackson-databind 2.x before 2.9.10.5 involves mishandling serialization gadgets, specifically related to Oracle JMS Connection Factories. It stems from improper interaction between serialization and typing, allowing an attacker to achieve remote code execution. Exploitation is possible if an attacker can provide crafted serialized data.
Affected Software
Technical Details
FasterXML jackson-databind versions 2.x before 2.9.10.5 are vulnerable due to an improper interaction between serialization gadgets and polymorphic typing, specifically concerning various Oracle JMS Connection Factory classes (e.g., `oracle.jms.AQjmsQueueConnectionFactory`, `oracle.jms.AQjmsXATopicConnectionFactory`, etc., also known as weblogic/oracle-aqjms). When Jackson-databind is configured for polymorphic type handling, an attacker can provide a specially crafted JSON payload that specifies one of these vulnerable Connection Factory classes as the type. During deserialization, the application attempts to instantiate and configure this class using attacker-controlled parameters within the JSON. These parameters can be manipulated to trigger arbitrary code execution through the gadget chain, exploiting mechanisms inherent in the JMS Connection Factory's setup or resource loading capabilities.
What is the Impact of CVE-2020-14061?
Successful exploitation may allow attackers to execute arbitrary code, achieve denial of service, or leak sensitive information, depending on the capabilities exposed by the deserialized gadget.
What is the Exploitability of CVE-2020-14061?
Exploitation of this vulnerability is of moderate complexity, requiring the ability to supply controlled serialized data (e.g., JSON) to an application that utilizes vulnerable versions of jackson-databind with polymorphic type handling. There are no inherent authentication or privilege requirements for the exploit itself beyond what is needed to transmit the malicious payload to the target application. This is typically a remote exploitation scenario. Key prerequisites include the presence of the vulnerable Jackson-databind version and the application's classpath containing the relevant Oracle JMS libraries (weblogic/oracle-aqjms). The vulnerability relies on the application performing deserialization of untrusted input using specific configurations, which is a common risk factor in enterprise applications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-14061?
About the Fix from Resolved Security
The patch blocks deserialization of several Oracle AQ JMS connection factory classes by adding them to a denylist, preventing them from being used as polymorphic subtypes in Jackson databind. This mitigates gadget-based deserialization attacks that could result in remote code execution, thereby fixing CVE-2020-14061.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.5 → Upgrade to 2.9.10.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://github.com/FasterXML/jackson-databind/issues/2698
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://nvd.nist.gov/vuln/detail/CVE-2020-14061
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2020-14061?
Similar Vulnerabilities: CVE-2020-10673 , CVE-2020-10672 , CVE-2019-12384 , CVE-2019-14540 , CVE-2019-14439
