CVE-2020-11111
📋 TL;DR
This CVE allows remote code execution through deserialization of untrusted data in FasterXML jackson-databind. It affects applications using Jackson 2.x with default typing enabled that process serialized data from untrusted sources. The vulnerability exploits interaction between serialization gadgets and typing features.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using Jackson for JSON/XML processing
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker achieves arbitrary code execution with the privileges of the application, potentially leading to complete system compromise.
Likely Case
Remote code execution leading to data theft, lateral movement, or deployment of malware.
If Mitigated
Limited impact if proper input validation and deserialization controls are implemented.
🎯 Exploit Status
Exploitation requires specific conditions but has been demonstrated in proof-of-concepts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.4 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2664
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to 2.9.10.4 or later. 2. Update Maven/Gradle dependencies accordingly. 3. Restart affected applications.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling (default typing) in Jackson ObjectMapper configuration
// Java code: objectMapper.disableDefaultTyping();
Use safe typing
allConfigure Jackson to use specific safe typing modes instead of default typing
// Java code: objectMapper.activateDefaultTyping(LaissezFaireSubTypeValidator.instance, ObjectMapper.DefaultTyping.NON_FINAL);
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON/XML inputs
- Use application-level firewalls or WAFs to block suspicious deserialization patterns
🔍 How to Verify
Check if Vulnerable:
Check pom.xml or build.gradle for jackson-databind version <2.9.10.4, or run: java -cp jackson-databind.jar com.fasterxml.jackson.databind.cfg.PackageVersionCheck Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.4 or higher in dependency files📡 Detection & Monitoring
Log Indicators:
- Unusual Java class loading patterns
- Exceptions related to deserialization failures
- Suspicious network connections after JSON processing
Network Indicators:
- Unusual JSON payloads containing Java class names
- Requests triggering deserialization errors
SIEM Query:
source="application.logs" AND ("DefaultTyping" OR "deserialization" OR "jackson") AND (error OR exception)🔗 References
- https://github.com/FasterXML/jackson-databind/issues/2664
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200403-0002/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/FasterXML/jackson-databind/issues/2664
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200403-0002/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
