CVE-2020-36185
Serialization Gadgets vulnerability in jackson-databind (Maven)
What is CVE-2020-36185 About?
This vulnerability in FasterXML jackson-databind allows for deserialization of untrusted data, specifically through `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`. This can lead to remote code execution or other severe impacts if an attacker can control serialized input. The difficulty of exploitation depends on the application's use of Jackson and the presence of vulnerable classes in the classpath.
Affected Software
Technical Details
The FasterXML jackson-databind library, versions 2.x before 2.9.10.8, contains a deserialization vulnerability related to 'serialization gadgets' and typing mechanisms. Specifically, the vulnerability arises when an application deserializes untrusted input, and the 'org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource' class is present in the application's classpath. An attacker can craft malicious JSON input that, when deserialized by Jackson, leverages properties of this specific data source class to trigger unintended actions. This often leads to arbitrary code execution by exploiting other vulnerabilities in the deserialized classes or their dependencies, allowing an attacker to execute commands on the host system by manipulating object construction during deserialization.
What is the Impact of CVE-2020-36185?
Successful exploitation may allow attackers to achieve arbitrary code execution, denial of service, or unauthorized data access by manipulating the deserialization process of untrusted data.
What is the Exploitability of CVE-2020-36185?
Exploitation of this vulnerability typically requires the attacker to submit a specially crafted serialized object (e.g., in JSON format) to an application that uses an affected version of jackson-databind for deserialization. The complexity is medium, as it requires knowledge of the application's deserialization points and the presence of specific 'gadget' classes (like SharedPoolDataSource) in the classpath. No prior authentication is usually required if the vulnerable deserialization endpoint is publicly accessible. This is a remote exploitation scenario. The likelihood of exploitation increases if the application extensively processes untrusted user-supplied data in JSON format and does not implement proper type filtering or whitelisting during deserialization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36185?
About the Fix from Resolved Security
The patch adds two Tomcat DBCP2 datasource classes to the blacklist of disallowed types for deserialization, preventing them from being instantiated during polymorphic deserialization. This mitigates the CVE-2020-36185 vulnerability, which allowed remote code execution via maliciously crafted JSON that triggers unintended class instantiation and related attacks.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson-databind/issues/2998
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2020-36185?
Similar Vulnerabilities: CVE-2020-36186 , CVE-2020-36187 , CVE-2020-36188 , CVE-2020-36189 , CVE-2020-36190
