CVE-2020-36189: Deserialization vulnerability in jackson-databind (Maven)

What is CVE-2020-36189 About?

FasterXML jackson-databind versions 2.x before 2.9.10.8 and 2.6.7.5 mishandle deserialization gadgets. This issue is specifically related to the 'com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource' class, leading to potential remote code execution. Exploitation can be complex, often requiring specific gadget chains and configurations.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- <2.6.7.5
- >2.7.0, <2.9.10.8

Technical Details

This vulnerability in FasterXML jackson-databind arises from an incomplete blacklist or insufficient handling of deserialization gadgets. Specifically, the 'com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource' class, when deserialized via Jackson, can be abused. An attacker can craft a malicious JSON payload that, upon deserialization by Jackson using the default typing mechanism (or when the vulnerable class is explicitly allowed), instantiates this class and leverages its constructor or methods to perform unintended actions. Typically, this involves calling dangerous methods or loading external resources, which ultimately can lead to arbitrary code execution. The attack vector relies on the application accepting untrusted JSON input and then deserializing it using a vulnerable version of jackson-databind with typing enabled or a deserialization gadget chain involving DriverManagerConnectionSource being available.

What is the Impact of CVE-2020-36189?

Successful exploitation may allow attackers to execute arbitrary code on the server, gain control over the affected system, or access sensitive data.

What is the Exploitability of CVE-2020-36189?

Exploitation complexity is considered high, as it requires crafting specific JSON payloads that trigger the deserialization gadget chain. Prerequisites include the application accepting untrusted JSON input and using a vulnerable 'jackson-databind' version, often with default typing enabled or a specific class (like 'DriverManagerConnectionSource') not being properly blacklisted. Authentication requirements vary; if JSON input is accepted pre-authentication, the attack can be unauthenticated. No specific system privileges are required for the initial deserialization, but the resulting code execution will occur with the privileges of the application. This is a remote exploit. Risk factors that increase exploitation likelihood include public exposure of endpoints that deserialize user-controlled JSON, custom deserializers that introduce new gadgets, and outdated libraries or configurations.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2020-36189?

A Fix by Resolved Security Exists!

Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch blocks deserialization of specific New Relic repackaged Logback classes by adding them to the denylist in SubTypeValidator. This prevents attackers from exploiting gadget chains involving these classes, addressing the insecure deserialization vulnerability CVE-2020-36189.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- <2.6.7.5 → Upgrade to 2.6.7.5
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.8 → Upgrade to 2.9.10.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-36189?

Similar Vulnerabilities: CVE-2022-42861 , CVE-2020-36188 , CVE-2020-36187 , CVE-2020-36186 , CVE-2020-36185

CVE-2020-36189 Deserialization vulnerability in jackson-databind (Maven)