CVE-2020-36183
Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-36183 About?
This FasterXML jackson-databind vulnerability impacts versions before 2.9.10.8 and 2.6.7.5, relating to insecure deserialization with specific JNDI connection pool gadgets. It enables remote code execution or denial of service by abusing deserialization. Exploitation requires knowledge of specific gadgets but can be highly impactful.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5
- >2.7.00, <2.9.10.8
Technical Details
The vulnerability in FasterXML jackson-databind arises from an insecure deserialization flaw specifically related to the 'org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool' gadget. When the jackson-databind library deserializes untrusted input, it can be tricked into instantiating this specific class. If a specially crafted serialized object, referring to this gadget, is provided, the deserialization process can trigger unintended code execution. The mishandling of 'typing' configurations allows an attacker to specify arbitrary types for deserialization, bypassing security checks and leveraging the JNDI mechanism for malicious purposes, such as loading remote classes.
What is the Impact of CVE-2020-36183?
Successful exploitation may allow attackers to achieve remote code execution, denial of service, or unauthorized access to system resources by abusing insecure deserialization.
What is the Exploitability of CVE-2020-36183?
Exploitation of this vulnerability typically involves providing untrusted serialized data (e.g., JSON) to a jackson-databind endpoint. The complexity is high, requiring the identification of a suitable gadget chain and crafting a malicious payload that leverages the JNDIConnectionPool. There are usually no specific authentication or privilege requirements to trigger the deserialization, making this a remote attack vector. The primary constraint is the presence of the vulnerable library version and the specific gadget class on the classpath. Risk factors include applications that deserialize data from untrusted sources, particularly those that integrate with JNDI resources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36183?
About the Fix from Resolved Security
The patch prevents deserialization of the dangerous class org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool by adding it to Jackson's blocklist. This fixes CVE-2020-36183 by blocking a gadget chain that could allow remote code execution via maliciously crafted input exploiting this class during polymorphic deserialization.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.00, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2020-36183?
Similar Vulnerabilities: CVE-2020-36187 , CVE-2020-36188 , CVE-2020-35490 , CVE-2017-7525 , CVE-2019-12384
