CVE-2020-36188
Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-36188 About?
This FasterXML jackson-databind vulnerability affects versions before 2.9.10.8 and 2.6.7.5, arising from an insecure deserialization flaw involving specific logging library gadgets. Successful exploitation can lead to remote code execution or denial of service. Exploitation requires knowledge of specific gadget chains.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5
- >2.7.0, <2.9.10.8
Technical Details
The vulnerability in FasterXML jackson-databind stems from improper handling of 'serialization gadgets' and typing configurations, specifically referencing 'com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource'. When untrusted input is deserialized by a vulnerable version of jackson-databind, an attacker can supply a malicious payload that triggers the instantiation and execution of code within this gadget. The deserialization process, improperly configured for typing, allows an attacker to control the type of object being instantiated, leading to arbitrary object creation and method invocation, ultimately enabling remote code execution or resource exhaustion.
What is the Impact of CVE-2020-36188?
Successful exploitation may allow attackers to achieve remote code execution, cause denial of service conditions, or gain unauthorized access to underlying systems via insecure deserialization.
What is the Exploitability of CVE-2020-36188?
Exploitation generally involves sending a specially crafted, serialized object as input to an application using the vulnerable jackson-databind library. The complexity is high, as it requires constructing a precise gadget chain using the 'JNDIConnectionSource' and understanding the deserialization logic. No authentication or elevated privileges are typically required at the point of deserialization. This is a remote exploitation scenario. The main constraints involve the presence of the vulnerable jackson-databind version and the specific gadget class 'JNDIConnectionSource' on the application's classpath. Applications that accept and deserialize untrusted input, such as web services or message processors, are highly susceptible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2020-36188 &&Jackson-databind RCE |
What are the Available Fixes for CVE-2020-36188?
About the Fix from Resolved Security
The patch adds two classes from the New Relic embedded Logback framework to the denylist of types that cannot be deserialized. This prevents exploitation of CVE-2020-36188, which involves unsafe polymorphic deserialization that could allow remote code execution by deserializing attacker-controlled input into dangerous classes, such as those that access JNDI or database resources. By blocking these classes, the patch mitigates the risk of such attacks.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/issues/2996
- https://osv.dev/vulnerability/GHSA-f9xh-2qgp-cq57
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.netapp.com/advisory/ntap-20210205-0005
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2020-36188?
Similar Vulnerabilities: CVE-2020-36187 , CVE-2020-35490 , CVE-2020-36183 , CVE-2017-7525 , CVE-2019-12384
