CVE-2020-35728: Serialization Gadget vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2020-35728 About?

This vulnerability in FasterXML jackson-databind 2.x before 2.9.10.8 mishandles serialization gadgets, specifically `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool`. It allows for deserialization of untrusted data, potentially leading to remote code execution or denial of service when handling malicious input, an attack that can be highly impactful if successful.

Affected Software

com.fasterxml.jackson.core:jackson-databind >2.0.0, <2.9.10.8

Technical Details

The FasterXML jackson-databind library, specifically versions 2.x prior to 2.9.10.8, is vulnerable to a deserialization flaw. This issue stems from its improper handling of interactions between serialization gadgets and typing when processing serialized data. The specific gadget identified in this CVE is `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool`, which is an embedded Xalan dependency found in `org.glassfish.web/javax.servlet.jsp.jstl`. An attacker can craft malicious input that, when deserialized by a vulnerable jackson-databind instance, will instantiate this specific gadget class. The constructor or methods of this class can then invoke JNDI lookups or other operations with attacker-controlled parameters, leading to remote code execution (RCE) or other severe consequences by loading arbitrary classes or executing commands remotely.

What is the Impact of CVE-2020-35728?

Successful exploitation may allow attackers to achieve remote code execution, denial of service, or other system compromise by providing specially crafted serialized data.

What is the Exploitability of CVE-2020-35728?

Exploitation of this vulnerability requires the presence of the `JNDIConnectionPool` gadget (`com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool`) on the application's classpath, in addition to a vulnerable jackson-databind version. The complexity for exploitation is moderate, as it involves crafting a specific serialized payload to trigger the gadget. No explicit authentication is typically needed to send the malicious payload if the deserialization endpoint is reachable externally. This is a remote attack. Privilege requirements depend on the context in which the application runs; the attacker's code would execute with the permissions of the vulnerable application. The existence of a proof-of-concept increases the likelihood of exploitation, particularly in environments where untrusted data is deserialized.

What are the Known Public Exploits?

PoC Author	Link	Commentary
Al1ex	Link	CVE-2020-35728 & Jackson-databind RCE

What are the Available Fixes for CVE-2020-35728?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

This patch adds "com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool" to the blacklist of classes disallowed for polymorphic deserialization in Jackson. By blocking this class, the fix for CVE-2020-35728 prevents attackers from exploiting insecure deserialization that could lead to remote code execution via crafted JSON input.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.8 → Upgrade to 2.9.10.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-35728?

Similar Vulnerabilities: CVE-2020-36186 , CVE-2017-7525 , CVE-2018-7489 , CVE-2019-12384 , CVE-2018-1000613

CVE-2020-35728 Serialization Gadget vulnerability in com.fasterxml.jackson.core:jackson-databind