CVE-2020-9547
Deserialization vulnerability in jackson-databind (Maven)
What is CVE-2020-9547 About?
FasterXML jackson-databind versions before 2.9.10.4, 2.8.11.6, and 2.7.9.7 are vulnerable to deserialization issues. It mishandles the interaction between serialization gadgets and typing, specifically with `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig`. An attacker with knowledge of the class path can easily exploit this to achieve remote code execution.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4
- >2.8.0, <2.8.11.6
- >2.0.0, <2.7.9.7
Technical Details
This vulnerability in FasterXML jackson-databind is a deserialization issue known as an 'arbitrary type gadget' within the JtaTransactionConfig class from ibatis-sqlmap. Jackson's default typing mechanism, combined with the presence of this class on the classpath, allows an attacker to control the type of object being deserialized. By crafting malicious JSON input that references this specific gadget, an attacker can trigger unintended object instantiations and method calls during deserialization. This can lead to arbitrary file writes, privilege escalation, or, most critically, remote code execution by chaining with other vulnerable classes and methods.
What is the Impact of CVE-2020-9547?
Successful exploitation may allow attackers to execute arbitrary code, leading to complete system compromise, data manipulation, or denial of service.
What is the Exploitability of CVE-2020-9547?
Exploitation typically requires an attacker to send specially crafted JSON data to an application that deserializes it using an affected version of jackson-databind. It does not require authentication itself if the deserialization endpoint is publicly exposed, but contextually, it might depend on application-specific access controls. No elevated privileges are needed; the attack operates within the permissions of the vulnerable application. This is a remote vulnerability. A key prerequisite is that the ibatis-sqlmap library (or similar vulnerable gadget libraries) must be present on the application's classpath. The complexity is moderate, requiring knowledge of gadget chains and Jackson's deserialization internals. The likelihood of exploitation increases if an application widely accepts and deserializes untrusted user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| fairyming | Link | CVE-2020-9547:FasterXML/jackson-databind 远程代码执行漏洞 |
What are the Available Fixes for CVE-2020-9547?
About the Fix from Resolved Security
The patch blocks additional dangerous classes from being deserialized by adding them to the DEFAULT_NO_DESER_CLASS_NAMES set in SubTypeValidator, specifically targeting certain classes from hikari-config, ibatis-sqlmap, and anteros-core. This fixes CVE-2020-9547 by preventing attackers from exploiting unsafe class deserialization that could lead to remote code execution through these newly blacklisted classes.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.7.9.7 → Upgrade to 2.7.9.7
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.6 → Upgrade to 2.8.11.6
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6%40%3Cnotifications.zookeeper.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18%40%3Cnotifications.zookeeper.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
- https://github.com/FasterXML/jackson-databind/issues/2634
- https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-9547
What are Similar Vulnerabilities to CVE-2020-9547?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-36179
