CVE-2020-14195: Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2020-14195 About?

This Deserialization vulnerability in FasterXML jackson-databind 2.x involves the mishandling of serialization gadgets and typing, specifically related to `org.jsecurity.realm.jndi.JndiRealmFactory`. Exploitation typically allows for arbitrary code execution or denial of service through specially crafted inputs, and its complexity is moderate due to reliance on specific gadget chains.

Affected Software

com.fasterxml.jackson.core:jackson-databind >2.9.0, <2.9.10.5

Technical Details

The vulnerability in FasterXML jackson-databind 2.x before 2.9.10.5 stems from inappropriate handling of serialization gadgets and typing mechanisms, allowing for insecure deserialization. Specifically, the class `org.jsecurity.realm.jndi.JndiRealmFactory` (found in the JSecurity library) can be leveraged as a deserialization gadget. An attacker can create a malicious serialized object containing a reference to this gadget. When the vulnerable jackson-databind instance attempts to deserialize this object, the `JndiRealmFactory` can be invoked in an controlled manner, potentially leading to JNDI lookups or other operations that allow the attacker to execute arbitrary code or obtain sensitive information, bypassing normal security deserialization checks.

What is the Impact of CVE-2020-14195?

Successful exploitation may allow attackers to execute arbitrary code, bypass security restrictions, achieve denial of service, or perform remote code execution.

What is the Exploitability of CVE-2020-14195?

Exploitation of this vulnerability requires the attacker to submit a specially crafted serialized object to an application that deserializes untrusted data using a vulnerable version of jackson-databind. The complexity is moderate, as it involves identifying a suitable gadget chain and understanding the specifics of the `JndiRealmFactory` class. Authentication is generally not required if the deserialization endpoint is exposed. This is typically a remote attack. No special privileges are typically needed if the vulnerable deserialization occurs in a standard application context. The presence of the `org.jsecurity` library and `JndiRealmFactory` on the application's classpath, in conjunction with the vulnerable jackson-databind version, are key conditions. Applications that deserialize data from untrusted sources without proper validation or whitelisting of accepted types significantly increase the likelihood of exploitation.

What are the Known Public Exploits?

PoC Author	Link	Commentary
Al1ex	Link	This is a simple test for FasterXML jackson-databind

What are the Available Fixes for CVE-2020-14195?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch extends the blacklist in SubTypeValidator to disallow deserialization of several more classes known to be exploitable as "gadget chains" for remote code execution. This prevents attackers from using these dangerous classes as targets for polymorphic deserialization, thus mitigating insecure deserialization attacks as described in CVE-2020-14195. By adding these specific class names to the validation blocklist, the patch closes avenues that attackers could otherwise exploit for arbitrary code execution through Jackson databind.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.5 → Upgrade to 2.9.10.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-14195?

Similar Vulnerabilities: CVE-2020-11112 , CVE-2020-10650 , CVE-2020-14060 , CVE-2019-14540 , CVE-2018-7489

CVE-2020-14195 Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind