CVE-2020-24750
Deserialization vulnerability in jackson-databind (Maven)
What is CVE-2020-24750 About?
This is a deserialization vulnerability in FasterXML jackson-databind versions 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6. It mishandles the interaction between serialization gadgets and typing, specifically related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`. This can lead to remote code execution or denial of service. Exploitation requires the attacker to control the serialized data being deserialized by the application.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0, <2.6.7.5
- >2.7.0, <2.9.10.6
Technical Details
The FasterXML jackson-databind library, when deserializing untrusted data, can be forced to instantiate and invoke methods on arbitrary classes present in the application's classpath due to improper handling of polymorphic typing. In this specific instance, the gadget chain involves com.pastdev.httpcomponents.configuration.JndiConfiguration. An attacker can embed specific class names and values within the JSON or XML payload. When jackson-databind attempts to deserialize this payload, it will instantiate JndiConfiguration, which can then connect to an attacker-controlled JNDI server to download and execute malicious code, bypassing deserialization countermeasures.
What is the Impact of CVE-2020-24750?
Successful exploitation may allow attackers to achieve remote code execution, perform sensitive data exfiltration, implant backdoors, or cause a denial of service on the affected application.
What is the Exploitability of CVE-2020-24750?
Exploitation of this deserialization vulnerability requires the attacker to supply a specially crafted malicious serialized object or data stream (e.g., JSON, XML) to a vulnerable jackson-databind endpoint. The complexity is moderate to high, as it requires knowledge of available gadgets on the classpath and specific crafting of the payload. Authentication requirements vary based on the application but often no prior authentication is needed if the deserialization occurs on an publicly accessible endpoint. This is a remote vulnerability. The presence of the vulnerable JndiConfiguration class in the classpath and the application's deserialization of untrusted input are critical prerequisites. Proper input validation and disabling polymorphic type handling for untrusted sources would mitigate the risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2020-24750 |
What are the Available Fixes for CVE-2020-24750?
About the Fix from Resolved Security
This patch adds com.pastdev.httpcomponents.configuration.JndiConfiguration to the blacklist of class names that Jackson will not deserialize. By blocking deserialization of this class, it prevents attackers from exploiting unsafe deserialization to achieve remote code execution, addressing the root cause of CVE-2020-24750.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0, <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.6 → Upgrade to 2.9.10.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/issues/2798
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://github.com/FasterXML/jackson-databind/issues/2798
- https://security.netapp.com/advisory/ntap-20201009-0003
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://osv.dev/vulnerability/GHSA-qjw2-hr98-qgfh
- https://www.oracle.com/security-alerts/cpuApr2021.html
What are Similar Vulnerabilities to CVE-2020-24750?
Similar Vulnerabilities: CVE-2020-36182 , CVE-2020-36184 , CVE-2020-24616 , CVE-2019-12814 , CVE-2019-14540
