CVE-2020-10968
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution (RCE) via deserialization of untrusted data, exploiting a gadget chain involving org.aoju.bus.proxy.provider.remoting.RmiProvider. It affects applications using Jackson 2.x before 2.9.10.4 with default polymorphic typing enabled or specific configurations.
💻 Affected Systems
- FasterXML jackson-databind
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Institutional Performance Analytics by Oracle
View all CVEs affecting Financial Services Institutional Performance Analytics →
Financial Services Institutional Performance Analytics by Oracle
View all CVEs affecting Financial Services Institutional Performance Analytics →
Financial Services Institutional Performance Analytics by Oracle
View all CVEs affecting Financial Services Institutional Performance Analytics →
Financial Services Price Creation And Discovery by Oracle
View all CVEs affecting Financial Services Price Creation And Discovery →
Financial Services Price Creation And Discovery by Oracle
View all CVEs affecting Financial Services Price Creation And Discovery →
Financial Services Retail Customer Analytics by Oracle
View all CVEs affecting Financial Services Retail Customer Analytics →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
RCE allowing attackers to execute arbitrary commands on the server, potentially leading to data breaches or service disruption.
If Mitigated
Limited impact if input validation and deserialization controls are enforced, but risk persists without patching.
🎯 Exploit Status
Exploits leverage known gadget chains; public proof-of-concept code exists, making attacks straightforward for skilled adversaries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.4 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2662
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.4 or higher in your project's build configuration (e.g., Maven, Gradle). 2. Rebuild and redeploy the application. 3. Restart the application server to apply changes.
🔧 Temporary Workarounds
Disable polymorphic typing
allPrevent deserialization of polymorphic types by disabling or restricting ObjectMapper configurations.
Configure ObjectMapper with disableDefaultTyping() or use a whitelist for allowed classes.
Block dangerous classes
allUse Jackson's class blacklisting to block known malicious gadget classes.
Add org.aoju.bus.proxy.provider.remoting.RmiProvider and related classes to the deserialization blacklist in Jackson configuration.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs to reject untrusted data.
- Isolate the vulnerable application in a segmented network to limit potential lateral movement and monitor for anomalous activity.
🔍 How to Verify
Check if Vulnerable:
Check the jackson-databind version in your project dependencies; if it's below 2.9.10.4, you are vulnerable.Check Version:
For Maven: mvn dependency:tree | grep jackson-databind; For Gradle: gradle dependencies | grep jackson-databind; In Java code: System.out.println(com.fasterxml.jackson.databind.cfg.PackageVersion.VERSION);Verify Fix Applied:
After updating, verify the version is 2.9.10.4 or higher by checking the dependency manifest or running a version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors, stack traces mentioning org.aoju.bus.proxy.provider.remoting.RmiProvider, or unexpected process spawns in application logs.
Network Indicators:
- Suspicious inbound JSON payloads to APIs, especially with polymorphic type indicators, or outbound connections to unknown RMI services.
SIEM Query:
Example: source="app_logs" AND ("RmiProvider" OR "deserialization error")🔗 References
- https://github.com/FasterXML/jackson-databind/issues/2662
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200403-0002/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/FasterXML/jackson-databind/issues/2662
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200403-0002/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
