CVE-2020-14062
Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-14062 About?
This vulnerability involves mishandling of serialization gadgets and typing in FasterXML jackson-databind, specifically affecting versions 2.x before 2.9.10.5. It allows for potential remote code execution by leveraging the com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool, making it a critical threat that can be exploited by an attacker with crafted input.
Affected Software
Technical Details
The vulnerability lies within FasterXML jackson-databind 2.x before version 2.9.10.5, where an improper interaction between serialization gadgets and typing mechanisms occurs. Specifically, when processing input, the library mishandles the com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (also known as xalan2). This misconfiguration or oversight allows an attacker to control serialized data, leading to the loading and execution of arbitrary code via JNDI lookups, effectively bypassing security restrictions. By crafting malicious input that triggers the deserialization of the JNDIConnectionPool gadget, an attacker can coerce the application into making JNDI requests to an attacker-controlled server, resulting in remote code execution on the target system.
What is the Impact of CVE-2020-14062?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the vulnerable application, potentially leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2020-14062?
Exploitation of this vulnerability typically involves sending specially crafted serialized data to an application using the vulnerable jackson-databind version. The complexity is moderate, requiring knowledge of serialization attacks and JNDI injection techniques. No authentication is strictly required if the vulnerable endpoint is publicly accessible, making it a remote attack vector. The attacker needs to identify an input point where deserialization occurs and then supply a payload that leverages the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` gadget to achieve remote code execution. The presence of network connectivity between the vulnerable application and an attacker-controlled JNDI server increases the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-14062?
About the Fix from Resolved Security
The patch adds "com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool" to the denylist in SubTypeValidator, preventing it from being deserialized via Jackson's polymorphic type handling. This change fixes CVE-2020-14062 by blocking deserialization of a class that could be maliciously exploited to perform JNDI lookups, which can lead to remote code execution.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.5 → Upgrade to 2.9.10.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson-databind/issues/2704
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
What are Similar Vulnerabilities to CVE-2020-14062?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-14892 , CVE-2020-17521
