CVE-2020-9548: Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2020-9548 About?

This vulnerability in FasterXML jackson-databind affects versions 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7. It mishandles the interaction between serialization gadgets and typing, leading to potential security risks. Exploitation requires knowledge of specific gadget chains and can lead to remote code execution.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4
- >2.8.0, <2.8.11.6
- >2.0.0, <2.7.9.7

Technical Details

FasterXML jackson-databind versions 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 are vulnerable to deserialization attacks. The issue stems from the library's mishandling of the interaction between serialization gadgets and polymorphic typing, specifically observed with `br.com.anteros.dbcp.AnterosDBCPConfig` (anteros-core). When the `jackson-databind` library is used to deserialize attacker-controlled JSON input, specific gadget classes (like `AnterosDBCPConfig`) can be instantiated. If `DefaultTyping` is enabled, the deserializer trusts the type information in the JSON, potentially loading and executing arbitrary code provided by the attacker by instantiating unexpected classes with dangerous constructors or methods during the deserialization process.

What is the Impact of CVE-2020-9548?

Successful exploitation may allow attackers to achieve arbitrary code execution by leveraging deserialization vulnerabilities, leading to full system compromise.

What is the Exploitability of CVE-2020-9548?

Exploitation of this deserialization vulnerability is considered complex, requiring an attacker to craft specific JSON payloads that leverage known "gadget chains" present in the application's classpath. The attacker needs to identify which classes are available and how their constructors or setters can be abused during deserialization. There are typically no authentication or privilege requirements beyond the ability to provide attacker-controlled JSON data to a vulnerable deserialization endpoint. This is a remote vulnerability, as the attacker sends the malicious JSON over the network. Special conditions include the application using `jackson-databind` for deserialization of untrusted input, particularly with polymorphic typing enabled, and having a vulnerable gadget on the classpath. Risk factors are high if the application processes external JSON data without strict validation or whitelisting of serializable types.

What are the Known Public Exploits?

PoC Author	Link	Commentary
fairyming	Link	CVE-2020-9548：FasterXML/jackson-databind 远程代码执行漏洞

What are the Available Fixes for CVE-2020-9548?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch adds specific dangerous classes (HikariConfig, JtaTransactionConfig, AnterosDBCPConfig) to the denylist that Jackson uses to block certain types from being deserialized. This prevents exploitation of CVE-2020-9548, which occurs when unsafe classes are deserialized, potentially allowing attackers to perform remote code execution or other malicious actions. By denylisting these classes, the patch mitigates the risk by preventing them from being deserialized through Jackson.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.7.9.7 → Upgrade to 2.7.9.7
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.6 → Upgrade to 2.8.11.6
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-9548?

Similar Vulnerabilities: CVE-2020-8840 , CVE-2019-12384 , CVE-2019-12814 , CVE-2019-14540 , CVE-2019-14439

CVE-2020-9548 Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind