CVE-2020-35490
Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-35490 About?
This FasterXML jackson-databind vulnerability affects versions before 2.9.10.8, involving an insecure deserialization flaw with specific data source gadgets. It can lead to remote code execution or denial of service by abusing deserialization mechanisms. Exploitation requires knowledge of specific gadgets but can be highly impactful.
Affected Software
Technical Details
The FasterXML jackson-databind library, versions before 2.9.10.8, is vulnerable to insecure deserialization caused by improper handling of 'serialization gadgets' in conjunction with typing. Specifically, the 'org.apache.commons.dbcp2.datasources.PerUserPoolDataSource' class can be abused. When an attacker provides a specially crafted serialized object (e.g., JSON or XML) to an application using jackson-databind, the library may instantiate this vulnerable class without proper security checks. This can lead to arbitrary method invocation or resource allocation, allowing for remote code execution or denial of service.
What is the Impact of CVE-2020-35490?
Successful exploitation may allow attackers to achieve remote code execution, cause denial of service, or gain unauthorized access to system resources by abusing insecure deserialization.
What is the Exploitability of CVE-2020-35490?
Exploitation involves crafting and sending a malicious serialized object to a jackson-databind endpoint. The complexity is high, as it requires constructing a precise gadget chain and understanding the deserialization process. Typically, no authentication or specific privileges are needed to trigger the deserialization. This is a remote exploitation scenario. Key constraints include the presence of the vulnerable jackson-databind version and the 'PerUserPoolDataSource' class on the application's classpath. Applications that accept and deserialize untrusted input, particularly in Java environments, are at significant risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-35490?
About the Fix from Resolved Security
This patch updates the deny-list of class names in Jackson's SubTypeValidator by adding two potentially dangerous classes from Apache Commons DBCP2, preventing them from being deserialized. This fix addresses CVE-2020-35490 by blocking attackers from exploiting unsafe deserialization paths that could lead to remote code execution via these classes.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20210122-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
What are Similar Vulnerabilities to CVE-2020-35490?
Similar Vulnerabilities: CVE-2020-36187 , CVE-2020-36188 , CVE-2020-36183 , CVE-2017-7525 , CVE-2019-12384
