CVE-2020-8840
Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-8840 About?
FasterXML jackson-databind 2.x versions before 2.6.7.4, 2.7.9.7, 2.8.11.5, and 2.9.10.2 are vulnerable due to inadequate blocking of xbean-reflect/JNDI gadgets. This allows for deserialization of untrusted data, potentially leading to remote code execution. Exploitation requires specific knowledge of gadget chains and JNDI.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.4
- >2.8.0, <2.8.11.5
- >2.7.0, <2.7.9.7
- >2.9.0, <2.9.10.3
Technical Details
FasterXML jackson-databind 2.x versions before 2.6.7.4, 2.7.9.7, 2.8.11.5 and 2.9.10.2 suffer from a deserialization vulnerability stemming from insufficient blocking of certain `xbean-reflect` and JNDI gadgets, specifically `org.apache.xbean.propertyeditor.JndiConverter`. When `jackson-databind` is configured for polymorphic deserialization (e.g., via `DefaultTyping.JAVA_LANG_OBJECT`), and an attacker provides a maliciously crafted JSON payload that specifies the `JndiConverter` class, the deserializer attempts to instantiate this class. The `JndiConverter` can then be leveraged to perform arbitrary JNDI lookups, potentially leading to remote code execution by fetching and executing code from an attacker-controlled LDAP or RMI server.
What is the Impact of CVE-2020-8840?
Successful exploitation may allow attackers to achieve arbitrary code execution by leveraging deserialization vulnerabilities, leading to full system compromise.
What is the Exploitability of CVE-2020-8840?
Exploiting this deserialization vulnerability is complex, requiring an attacker to craft a specialized JSON payload to trigger the `JndiConverter` gadget. The attacker needs to understand the classpath of the application to identify available gadgets and potentially a JNDI injection endpoint. There are no explicit authentication or privilege requirements beyond the ability to submit arbitrary JSON data to a vulnerable deserialization endpoint. This is a remote vulnerability, sending malicious JSON over the network. Specific conditions include the application using `jackson-databind` for deserialization of untrusted input, especially with polymorphic typing, and the presence of `xbean-reflect` on the classpath. Factors increasing risk include processing untrusted external data and not implementing deserialization whitelisting or blacklisting effectively.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| jas502n | Link | FasterXML/jackson-databind 远程代码执行漏洞 |
| fairyming | Link | CVE-2020-8840:FasterXML/jackson-databind 远程代码执行漏洞 |
| Wfzsec | Link | 来源于jackson-CVE-2020-8840,需要开autotype |
What are the Available Fixes for CVE-2020-8840?
About the Fix from Resolved Security
This patch adds org.apache.xbean.propertyeditor.JndiConverter to the blacklist of classes that cannot be deserialized by Jackson. By blocking deserialization of this class, it prevents attackers from exploiting unsafe Java object deserialization leading to remote code execution, which is the core of vulnerability CVE-2020-8840.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.4 → Upgrade to 2.6.7.4
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.7 → Upgrade to 2.7.9.7
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.5 → Upgrade to 2.8.11.5
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.3 → Upgrade to 2.9.10.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a%40%3Cdev.ranger.apache.org%3E
- https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657%40%3Cdev.ranger.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html
- https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E
- https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e%40%3Ccommits.zookeeper.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-8840?
Similar Vulnerabilities: CVE-2020-9548 , CVE-2019-12384 , CVE-2019-12814 , CVE-2019-14540 , CVE-2019-14439
