CVE-2020-11619
📋 TL;DR
This is a deserialization vulnerability in FasterXML jackson-databind that allows remote code execution when untrusted data is deserialized with polymorphic type handling enabled. It affects applications using jackson-databind 2.x before 2.9.10.4 that deserialize data from untrusted sources with default typing or @JsonTypeInfo annotations.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON deserialization
- Spring Framework applications using jackson-databind
📦 What is this software?
Agile Plm by Oracle
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the application, potentially leading to complete system compromise.
Likely Case
Remote code execution allowing attackers to execute arbitrary commands on the server.
If Mitigated
No impact if applications don't deserialize untrusted data or have proper type filtering in place.
🎯 Exploit Status
Exploitation requires specific conditions but public PoCs exist. Attackers need to craft malicious JSON payloads targeting the MethodLocatingFactoryBean gadget.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.4 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2680
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.4 or later. 2. Update pom.xml or build.gradle to use patched version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling (default typing) in ObjectMapper configuration
ObjectMapper mapper = new ObjectMapper();
mapper.activateDefaultTyping(null); // Disable default typing
Enable global default typing blacklist
allConfigure ObjectMapper to use the global default typing blacklist
ObjectMapper mapper = new ObjectMapper();
mapper.activateDefaultTyping(mapper.getPolymorphicTypeValidator(), ObjectMapper.DefaultTyping.NON_FINAL);
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON input
- Use a Web Application Firewall (WAF) with deserialization attack detection rules
🔍 How to Verify
Check if Vulnerable:
Check pom.xml, build.gradle, or dependency manifest for jackson-databind version. If version is 2.x and < 2.9.10.4, you are vulnerable if using polymorphic type handling.Check Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.4 or later in dependencies and rebuild/redeploy application.📡 Detection & Monitoring
Log Indicators:
- Unusual Java class loading errors
- Exceptions related to MethodLocatingFactoryBean or deserialization
- Unexpected process spawning
Network Indicators:
- Malformed JSON payloads containing Java class references
- Requests with unusual content types or structures
SIEM Query:
source="application.logs" AND ("MethodLocatingFactoryBean" OR "deserialization" OR "jackson") AND severity=ERROR🔗 References
- https://github.com/FasterXML/jackson-databind/issues/2680
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200511-0004/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://github.com/FasterXML/jackson-databind/issues/2680
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200511-0004/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
