CVE-2020-10672
📋 TL;DR
CVE-2020-10672 is a deserialization vulnerability in FasterXML jackson-databind that allows remote code execution when processing untrusted JSON content. It affects applications using jackson-databind 2.x before 2.9.10.4 with default polymorphic typing enabled. This impacts Java applications that deserialize JSON from untrusted sources.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON processing
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Institutional Performance Analytics by Oracle
View all CVEs affecting Financial Services Institutional Performance Analytics →
Financial Services Institutional Performance Analytics by Oracle
View all CVEs affecting Financial Services Institutional Performance Analytics →
Financial Services Institutional Performance Analytics by Oracle
View all CVEs affecting Financial Services Institutional Performance Analytics →
Financial Services Price Creation And Discovery by Oracle
View all CVEs affecting Financial Services Price Creation And Discovery →
Financial Services Price Creation And Discovery by Oracle
View all CVEs affecting Financial Services Price Creation And Discovery →
Financial Services Retail Customer Analytics by Oracle
View all CVEs affecting Financial Services Retail Customer Analytics →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker achieves arbitrary code execution with application privileges, potentially leading to complete system compromise.
Likely Case
Remote code execution leading to data theft, privilege escalation, or lateral movement within the environment.
If Mitigated
Limited impact if proper input validation and security controls prevent exploitation attempts.
🎯 Exploit Status
Exploitation requires sending malicious JSON payloads to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.4 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2659
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.4 or later. 2. Update Maven/Gradle configuration. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable polymorphic typing
allDisable default typing features in ObjectMapper configuration
ObjectMapper mapper = new ObjectMapper();
// Do NOT call mapper.enableDefaultTyping()
Use allow-list for deserialization
allConfigure ObjectMapper to only allow specific classes during deserialization
mapper.activateDefaultTyping(ptv, ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
mapper.setPolymorphicTypeValidator(new DefaultPolymorphicTypeValidator.Builder().allowIfBaseType("com.example.").build());
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Use network segmentation and WAF rules to block suspicious JSON payloads
🔍 How to Verify
Check if Vulnerable:
Check pom.xml or build.gradle for jackson-databind version <2.9.10.4, or run: java -cp jackson-databind.jar com.fasterxml.jackson.databind.cfg.PackageVersionCheck Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is >=2.9.10.4 in dependencies and deployed application📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Stack traces containing org.apache.aries.transaction.jms
- Unexpected class loading
Network Indicators:
- HTTP POST requests with JSON payloads to API endpoints
- Unusual outbound connections after JSON processing
SIEM Query:
source="application.logs" AND ("org.apache.aries.transaction.jms" OR "XaPooledConnectionFactory" OR "deserialization error")🔗 References
- https://github.com/FasterXML/jackson-databind/issues/2659
- https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200403-0002/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/FasterXML/jackson-databind/issues/2659
- https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200403-0002/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
