CVE-2020-36179
Serialization vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-36179 About?
FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 is vulnerable to a serialization gadget issue. This vulnerability relates to mishandling the interaction between serialization gadgets and typing, specifically with `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`. This can result in remote code execution (RCE). Exploitation is complex, requiring specific gadget chains and control over deserialization.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5
- >2.7.0, <2.9.10.8
Technical Details
The FasterXML jackson-databind library, in affected versions, improperly handles the interaction between deserialization with polymorphic typing enabled (where `enableDefaultTyping` or `@JsonTypeInfo` is used) and specific 'gadget' classes available in the classpath. In this case, the `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS` class acts as a deserialization gadget. An attacker can craft a malicious JSON payload that, when deserialized by jackson-databind, instantiates this gadget class and manipulates its properties. This manipulation can lead to the execution of arbitrary code because the gadget class, during its construction or method invocation (triggered by deserialization), can perform dangerous operations such as loading remote classes or executing system commands, ultimately achieving Remote Code Execution (RCE) on the server.
What is the Impact of CVE-2020-36179?
Successful exploitation may allow attackers to achieve remote code execution, leading to complete system compromise, data theft, and full control over the affected application and host.
What is the Exploitability of CVE-2020-36179?
Exploitation of this serialization vulnerability is complex, requiring a deep understanding of Java serialization, gadget chains, and the target application's classpath. Prerequisites include the presence of vulnerable FasterXML jackson-databind versions and vulnerable gadget classes (`DriverAdapterCPDS`) on the classpath, along with the application performing deserialization of untrusted data with polymorphic typing enabled. No specific authentication or privilege requirements are needed if the deserialization endpoint is publicly accessible. This is typically a remote exploit where the attacker sends a specially crafted JSON payload. Special conditions involve ensuring the correct gadget chain is available and that the attacker's payload correctly navigates the deserialization process to trigger the malicious operations. Risk factors increasing exploitation likelihood include applications that accept and deserialize untrusted JSON input from external sources without proper sanitization, validation, or a deny-list of vulnerable classes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2020-36179~82 Jackson-databind SSRF&RCE |
What are the Available Fixes for CVE-2020-36179?
About the Fix from Resolved Security
The patch expands the denylist of class names that Jackson will refuse to deserialize, adding various dangerous classes from Apache Commons DBCP, Tomcat DBCP, and similar libraries. This prevents attackers from exploiting gadgets in these classes to achieve remote code execution via polymorphic deserialization, addressing the attack vector present in CVE-2020-36179. By explicitly blocking deserialization of these classes, the fix closes the security gap that allowed unsafe object instantiation.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-36179
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://osv.dev/vulnerability/GHSA-9gph-22xh-8x98
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
What are Similar Vulnerabilities to CVE-2020-36179?
Similar Vulnerabilities: CVE-2019-12384 , CVE-2019-14540 , CVE-2019-14892 , CVE-2019-16942 , CVE-2020-8840
