CVE-2020-36187
Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-36187 About?
This FasterXML jackson-databind vulnerability impacts versions before 2.9.10.8, involving mishandling of serialization gadgets and typing with specific data sources. It can lead to remote code execution or denial of service by abusing deserialization mechanisms. Exploitation requires knowledge of specific gadgets but can be highly impactful.
Affected Software
Technical Details
The vulnerability in FasterXML jackson-databind arises from an insecure deserialization flaw specifically related to the 'org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource' gadget. When the jackson-databind library deserializes untrusted input, it can instantiate arbitrary classes defined in the classpath. If a specially crafted serialized object, referring to this gadget, is provided, the deserialization process can trigger unintended code execution or resource exhaustion. The mishandling of 'typing' allows an attacker to specify arbitrary types for deserialization, bypassing security checks.
What is the Impact of CVE-2020-36187?
Successful exploitation may allow attackers to achieve remote code execution, denial of service, or unauthorized access to system resources by abusing insecure deserialization.
What is the Exploitability of CVE-2020-36187?
Exploitation of this vulnerability typically requires the ability to provide untrusted serialized data to a jackson-databind endpoint. The complexity is moderate to high, as it necessitates identifying a suitable gadget chain and crafting a malicious payload. There are usually no specific authentication or privilege requirements to trigger the deserialization, making it a remote attack vector. The primary constraint is the presence of the vulnerable library and the specific gadget class on the classpath. Risk factors include applications that deserialize data from untrusted sources, such as API endpoints or message queues.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36187?
About the Fix from Resolved Security
This patch adds two Apache Tomcat DBCP datasource classes to the blocklist in Jackson's SubTypeValidator, preventing their use in polymorphic deserialization. This mitigates the gadget chain exploited in CVE-2020-36187, which could allow remote code execution by deserializing untrusted data into these dangerous classes.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
What are Similar Vulnerabilities to CVE-2020-36187?
Similar Vulnerabilities: CVE-2020-36188 , CVE-2020-35490 , CVE-2020-36183 , CVE-2017-7525 , CVE-2019-12384
