CVE-2020-36180
Deserialization Vulnerability vulnerability in jackson-databind (Maven)
What is CVE-2020-36180 About?
FasterXML `jackson-databind` 2.x before 2.9.10.8 and 2.6.7.5 has a deserialization vulnerability related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`. An attacker can exploit this to achieve arbitrary code execution by crafting malicious serialized data. Exploitation is relatively easy if an attacker can control data deserialized by the application.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5
- >2.7.0, <2.9.10.8
Technical Details
The vulnerability in FasterXML jackson-databind (versions 2.x before 2.9.10.8 and 2.6.7.5) is a deserialization flaw. It arises from the mishandling of interactions between serialization gadgets and typing, specifically involving the org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS class. When jackson-databind is configured to allow polymorphic deserialization (i.e., using enableDefaultTyping or @JsonTypeInfo), an attacker can craft a malicious JSON payload. This payload references the DriverAdapterCPDS gadget, which, upon deserialization, can trigger arbitrary code execution by instantiating dangerous classes or executing arbitrary commands through method calls during the object construction phase.
What is the Impact of CVE-2020-36180?
Successful exploitation may allow attackers to achieve remote code execution, leading to full compromise of the affected system, data breach, and denial of service.
What is the Exploitability of CVE-2020-36180?
Exploitation complexity is moderate to low, provided the attacker can supply specially crafted JSON data to an application that deserializes it using jackson-databind. No authentication or specific privileges are required if the input channel is publicly accessible. This is typically a remote attack. The primary prerequisite is that the application uses a vulnerable jackson-databind version and is configured to allow polymorphic deserialization on untrusted input. The presence of the org.apache.commons.dbcp2 library on the classpath acts as the 'gadget' necessary for the RCE payload. Risk factors include APIs that accept JSON payloads from untrusted sources, message queues, or persistent storage where malicious data might reside.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| cuijiung | Link | PoC for CVE-2020-36180 |
What are the Available Fixes for CVE-2020-36180?
About the Fix from Resolved Security
The patch extends the denylist in SubTypeValidator with additional dangerous class names related to commons-dbcp, dbcp2, and variants embedded in Tomcat and other packages that could be exploited for remote code execution when deserialized. By adding these specific class names to the denylist, it addresses CVE-2020-36180 by preventing attackers from abusing polymorphic deserialization in Jackson to instantiate hazardous classes known to enable JNDI lookups or similar attacks.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-36180
What are Similar Vulnerabilities to CVE-2020-36180?
Similar Vulnerabilities: CVE-2020-35491 , CVE-2020-35728 , CVE-2020-35729 , CVE-2020-35730 , CVE-2020-35731
