CVE-2020-36186
Serialization Gadget vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-36186 About?
This vulnerability in FasterXML jackson-databind allows for deserialization of untrusted data, specifically through a serialization gadget within the `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource` class. It can lead to remote code execution or other severe impacts when handling malicious input, and its exploitation requires specific configurations but can be highly impactful.
Affected Software
Technical Details
The FasterXML jackson-databind library, versions 2.x before 2.9.10.8, is susceptible to a deserialization vulnerability. This flaw arises from mishandling the interaction between serialization gadgets and typing when processing input, particularly involving the `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource` class. An attacker can craft malicious JSON input that, when deserialized by a vulnerable jackson-databind instance, will trigger the execution of arbitrary code or other harmful operations. This is due to the library's ability to instantiate and call methods on arbitrary classes specified in the serialized data, bypassing security checks if certain 'gadget' classes (like PerUserPoolDataSource) are present in the classpath and their constructors or methods have side effects.
What is the Impact of CVE-2020-36186?
Successful exploitation may allow attackers to achieve remote code execution, denial of service, or other system compromise by providing specially crafted serialized data.
What is the Exploitability of CVE-2020-36186?
Exploitation requires the application to use a vulnerable version of FasterXML jackson-databind and to deserialize untrusted input without proper type filtering. The complexity is medium, as attackers need to identify suitable "gadget" classes on the target's classpath, such as `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`. No authentication is directly required to trigger the deserialization if the input processing endpoint is publicly accessible. This is a remote attack. Privilege requirements are dependent on the context in which the deserialization occurs, but generally, the attacker's code runs with the privileges of the application. The likelihood of exploitation increases if the application extensively processes user-supplied serialized data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36186?
About the Fix from Resolved Security
The patch adds two Apache Tomcat DBCP data source classes to the default blacklist in SubTypeValidator, preventing their deserialization by Jackson. This mitigates CVE-2020-36186 by blocking deserialization gadgets that could be exploited for remote code execution when processing untrusted data.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-36186
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2020-36186?
Similar Vulnerabilities: CVE-2020-35728 , CVE-2017-7525 , CVE-2018-7489 , CVE-2019-12384 , CVE-2018-1000613
