CVE-2020-9546
Serialization vulnerability in jackson-databind (Maven)
What is CVE-2020-9546 About?
This vulnerability affects FasterXML jackson-databind due to mishandling of serialization gadgets and typing when processing certain objects. This can lead to remote code execution or denial of service when untrusted data is deserialized. Exploiting this requires constructing a specific malicious payload that interacts with the deserialization process.
Affected Software
Technical Details
The vulnerability lies in how FasterXML jackson-databind 2.x before 2.9.10.4 interacts with 'gadgets' (classes that can be abused during deserialization) and its typing mechanisms. Specifically, the handling of org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (a shaded version of HikariCP's configuration class) allows for a deserialization attack. When an application deserializes untrusted data using the affected jackson-databind version, a specially crafted JSON payload can trigger the instantiation and execution of dangerous methods within HikariConfig or related classes. This can bypass security restrictions and lead to remote code execution or other undesirable actions, depending on the classpath and available gadgets.
What is the Impact of CVE-2020-9546?
Successful exploitation may allow attackers to execute arbitrary code, gain control over the affected application, or cause a denial of service.
What is the Exploitability of CVE-2020-9546?
Exploitation requires the ability to send malicious serialized data to an application using the vulnerable jackson-databind version. The complexity is moderate, as it involves crafting a specific payload that leverages known deserialization gadgets. No authentication is typically required if the application accepts untrusted serialized input directly, making it a remote attack vector. Privilege requirement depends on the code executed by the gadget but can often lead to the privileges of the running application. A key condition for exploitation is the presence of the org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig class on the victim's classpath, even if not directly used by the application.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-9546?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18%40%3Cnotifications.zookeeper.apache.org%3E
- https://osv.dev/vulnerability/GHSA-5p34-5m6p-p58g
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E
- https://github.com/FasterXML/jackson-databind/issues/2631
- https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca%40%3Cissues.zookeeper.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-9546?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2018-7489 , CVE-2019-14540 , CVE-2020-36179 , CVE-2020-36181
