CVE-2020-24616
Deserialization vulnerability in jackson-databind (Maven)
What is CVE-2020-24616 About?
This is a deserialization vulnerability in FasterXML jackson-databind 2.x before 2.9.10.6, affecting general-purpose data-binding functionality. It arises from mishandling serialization gadgets and typing, specifically related to `br.com.anteros.dbcp.AnterosDBCPDataSource`. This can lead to remote code execution. Exploitation is possible if an attacker can provide malicious serialized data.
Affected Software
Technical Details
FasterXML jackson-databind, when processing untrusted input with polymorphic deserialization enabled, can be coerced into loading and executing arbitrary code. The vulnerability in this instance specifically leverages br.com.anteros.dbcp.AnterosDBCPDataSource as a deserialization gadget. An attacker crafts a malicious JSON or equivalent payload that, when deserialized by jackson-databind, forces the instantiation of AnterosDBCPDataSource and triggers a JNDI lookup or similar mechanism to an attacker-controlled endpoint. This allows the attacker to achieve remote code execution on the server running the application.
What is the Impact of CVE-2020-24616?
Successful exploitation may allow attackers to remotely execute arbitrary code, leading to complete compromise of the server, data exfiltration, or denial of service.
What is the Exploitability of CVE-2020-24616?
Exploitation of this deserialization vulnerability requires the ability to send a crafted serialized input to an application that uses the affected jackson-databind library. The complexity is moderate; it demands careful construction of the payload leveraging the AnterosDBCPDataSource class. No prior authentication is required if the deserialization endpoint is publicly accessible. This is a remote vulnerability. Prerequisites include the presence of AnterosDBCPDataSource on the classpath and the application's processing of untrusted serialized data without adequate validation or class whitelisting. Default configurations of jackson-databind enabling polymorphic types increase the risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| 0xkami | Link | cve-2020-24616 poc |
What are the Available Fixes for CVE-2020-24616?
About the Fix from Resolved Security
The patch blacklists additional dangerous classes from polymorphic deserialization in Jackson, preventing their instantiation via JSON input. This mitigates CVE-2020-24616 by blocking attackers from exploiting gadget classes that could allow arbitrary code execution during deserialization.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.6 → Upgrade to 2.9.10.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20200904-0006
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://osv.dev/vulnerability/GHSA-h3cw-g4mq-c5x2
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2020-24616?
Similar Vulnerabilities: CVE-2020-24750 , CVE-2020-36182 , CVE-2020-36184 , CVE-2019-12814 , CVE-2019-14540
