CVE-2018-21234
📋 TL;DR
CVE-2018-21234 is a critical deserialization vulnerability in Jodd JSON parser that allows remote code execution when setClassMetadataName is configured. Attackers can exploit this by sending malicious JSON data to applications using vulnerable Jodd versions. This affects any application using Jodd JSON parser with class metadata enabled.
💻 Affected Systems
- Jodd
📦 What is this software?
Hive by Apache
Jodd by Jodd
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to execute arbitrary commands, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, application compromise, or server takeover.
If Mitigated
Limited impact if proper input validation and network segmentation are in place, but still significant risk.
🎯 Exploit Status
Exploitation requires sending malicious JSON payloads to endpoints using vulnerable Jodd configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.4
Vendor Advisory: https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16
Restart Required: Yes
Instructions:
1. Update Jodd dependency to version 5.0.4 or later. 2. Update pom.xml or build.gradle to use fixed version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable class metadata
allDisable setClassMetadataName configuration in Jodd JSON parser
jsonParser.setClassMetadataName(null)
Input validation
allImplement strict JSON schema validation before parsing
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy web application firewall with JSON deserialization protection rules
🔍 How to Verify
Check if Vulnerable:
Check if application uses Jodd version <5.0.4 and has setClassMetadataName configuredCheck Version:
Check dependency files (pom.xml, build.gradle) or runtime with: java -cp jodd.jar jodd.VersionVerify Fix Applied:
Verify Jodd version is 5.0.4 or later and class metadata is disabled or properly secured📡 Detection & Monitoring
Log Indicators:
- Unusual JSON parsing errors
- Unexpected class loading in logs
- Stack traces containing jodd.json.JsonParser
Network Indicators:
- Malformed JSON payloads with class metadata
- Unusual outbound connections from application server
SIEM Query:
source="application.logs" AND ("jodd.json.JsonParser" OR "ClassNotFoundException" OR "NoClassDefFoundError")🔗 References
- https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16
- https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4
- https://github.com/oblac/jodd/issues/628
- https://lists.apache.org/thread.html/r0bacc701ab7105500a0ab2769270d18f332cb379e6a62ec7553f3327%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r157d01c96a2c10e7ceb3e005f42c52cfe87b11dd018935e1c4277433%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/r317aec95c436848233047af7ecb3ce04ce446eb6031f981aef50df0d%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r729bc1e0f367fe8a857ac8a14641dba284ac4cf5131edf483022cf59%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r965503b27d67a2d934e34fc1d088c9547d51d927c43b8b9bd9b7e695%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rc23200043872384e0fc48a4a4502f4c6b4b5ddc79ba4076414150d59%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rc85b650b4ad2c77d7c39c69824488e40dce6d0ebbb4204777d094375%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rd575d9877424a2d8776f5c2ff33bf3dc3382cd83f031d483f29c11ab%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rdbb99b43334b59d3d3478d360c87e3235ba22edb1de7d39019194347%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rdce006b282e56c5cc73cdf452c51c5097154d0503396d62f48abbeae%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rf458683390d6650b26a2c8ba8ad396e038e520ad1cc3f3f1e20514d9%40%3Cdev.hive.apache.org%3E
- https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16
- https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4
- https://github.com/oblac/jodd/issues/628
- https://lists.apache.org/thread.html/r0bacc701ab7105500a0ab2769270d18f332cb379e6a62ec7553f3327%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r157d01c96a2c10e7ceb3e005f42c52cfe87b11dd018935e1c4277433%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/r317aec95c436848233047af7ecb3ce04ce446eb6031f981aef50df0d%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r729bc1e0f367fe8a857ac8a14641dba284ac4cf5131edf483022cf59%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r965503b27d67a2d934e34fc1d088c9547d51d927c43b8b9bd9b7e695%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rc23200043872384e0fc48a4a4502f4c6b4b5ddc79ba4076414150d59%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rc85b650b4ad2c77d7c39c69824488e40dce6d0ebbb4204777d094375%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rd575d9877424a2d8776f5c2ff33bf3dc3382cd83f031d483f29c11ab%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rdbb99b43334b59d3d3478d360c87e3235ba22edb1de7d39019194347%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rdce006b282e56c5cc73cdf452c51c5097154d0503396d62f48abbeae%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rf458683390d6650b26a2c8ba8ad396e038e520ad1cc3f3f1e20514d9%40%3Cdev.hive.apache.org%3E
