CVE-2020-11113

Q: What is the severity of CVE-2020-11113?

CVE-2020-11113 has a CVSS score of 8.8 (HIGH). This is a deserialization vulnerability in FasterXML jackson-databind that allows remote code execution when processing untrusted JSON content. It affects applications using jackson-databind 2.x before 2.9.10.4 with default polymorphic typing enabled. The vulnerability exploits interaction between serialization gadgets and the openjpa library.

8.8 HIGH

Remote Code Execution Deserialization

📋 TL;DR

This is a deserialization vulnerability in FasterXML jackson-databind that allows remote code execution when processing untrusted JSON content. It affects applications using jackson-databind 2.x before 2.9.10.4 with default polymorphic typing enabled. The vulnerability exploits interaction between serialization gadgets and the openjpa library.

💻 Affected Systems

Products:

FasterXML jackson-databind
Applications using jackson-databind for JSON processing
Apache OpenJPA integration

Versions: 2.x before 2.9.10.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires polymorphic typing to be enabled (defaultObjectMapper.enableDefaultTyping() or similar). Applications using openjpa are particularly vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker achieves full system compromise and arbitrary code execution on the vulnerable server.

🟠

Likely Case

Remote code execution leading to data theft, system takeover, or lateral movement within the network.

🟢

If Mitigated

Denial of service or application crash if exploit fails, but RCE remains primary risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploits require sending specially crafted JSON to vulnerable endpoints. Multiple proof-of-concepts exist in security research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.10.4 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2670

Restart Required: Yes

Instructions:

1. Update jackson-databind dependency to version 2.9.10.4 or later. 2. Update pom.xml or build.gradle to use patched version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Disable polymorphic typing

all

Disable default typing features in ObjectMapper configuration

ObjectMapper mapper = new ObjectMapper();
// Do NOT call mapper.enableDefaultTyping()

Block openjpa classes

all

Add openjpa to the list of blocked deserialization classes

mapper.addMixIn(Object.class, MyMixInForIgnoreType.class);

🧯 If You Can't Patch

Implement strict input validation and sanitization for all JSON inputs
Deploy WAF rules to block malicious JSON payloads containing openjpa references

🔍 How to Verify

Check if Vulnerable:

Check pom.xml, build.gradle, or dependency manifest for jackson-databind version <2.9.10.4

Check Version:

mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databind

Verify Fix Applied:

Verify jackson-databind version is 2.9.10.4 or higher in dependency files

📡 Detection & Monitoring

Log Indicators:

Java exceptions mentioning org.apache.openjpa
Deserialization errors in application logs
Unexpected class loading attempts

Network Indicators:

HTTP requests with JSON payloads containing openjpa class references
Unusual outbound connections from application server

SIEM Query:

source="application.log" AND ("openjpa" OR "deserialization" OR "ClassNotFoundException")

📊 Metadata

CVE ID: CVE-2020-11113

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: March 31, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/FasterXML/jackson-databind/issues/2670 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20200403-0002/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2670 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20200403-0002/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Agile Plm by Oracle

Autovue For Agile Product Lifecycle Management by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Platform by Oracle

Communications Calendar Server by Oracle

Communications Contacts Server by Oracle

Communications Diameter Signaling Router by Oracle

Communications Element Manager by Oracle

Communications Evolved Communications Application Server by Oracle

Communications Instant Messaging Server by Oracle

Communications Network Charging And Control by Oracle

Communications Network Charging And Control by Oracle

Communications Session Report Manager by Oracle

Communications Session Route Manager by Oracle

Debian Linux by Debian

Enterprise Manager Base Platform by Oracle

Enterprise Manager Base Platform by Oracle

Financial Services Analytical Applications Infrastructure by Oracle

Financial Services Institutional Performance Analytics by Oracle

Financial Services Institutional Performance Analytics by Oracle

Financial Services Institutional Performance Analytics by Oracle

Financial Services Price Creation And Discovery by Oracle

Financial Services Price Creation And Discovery by Oracle

Financial Services Retail Customer Analytics by Oracle

Global Lifecycle Management Opatch by Oracle

Insurance Policy Administration J2ee by Oracle

Insurance Policy Administration J2ee by Oracle

Jackson Databind by Fasterxml

Jd Edwards Enterpriseone Orchestrator by Oracle

Jd Edwards Enterpriseone Tools by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Retail Merchandising System by Oracle

Retail Sales Audit by Oracle

Retail Service Backbone by Oracle

Retail Service Backbone by Oracle

Retail Service Backbone by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Steelstore Cloud Integrated Storage by Netapp

Webcenter Portal by Oracle

Webcenter Portal by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable polymorphic typing

Block openjpa classes

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References