CVE-2020-14062

Q: What is the severity of CVE-2020-14062?

CVE-2020-14062 has a CVSS score of 8.1 (HIGH). This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code when processing malicious JSON payloads. Affected systems include any application using vulnerable versions of jackson-databind with polymorphic type handling enabled.

8.1 HIGH

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code when processing malicious JSON payloads. Affected systems include any application using vulnerable versions of jackson-databind with polymorphic type handling enabled.

💻 Affected Systems

Products:

FasterXML jackson-databind
Applications using jackson-databind for JSON processing

Versions: 2.x before 2.9.10.5

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires polymorphic type handling (default typing or @JsonTypeInfo) to be enabled. Default configurations without these features are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution with the privileges of the application processing JSON data, potentially leading to application takeover.

🟢

If Mitigated

Limited impact if proper input validation and deserialization controls are in place, potentially resulting in denial of service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending malicious JSON payloads to endpoints that deserialize with polymorphic type handling enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.10.5 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2704

Restart Required: Yes

Instructions:

1. Update jackson-databind dependency to version 2.9.10.5 or later. 2. Update Maven/Gradle dependencies accordingly. 3. Restart affected applications. 4. Verify no older vulnerable versions remain in the dependency tree.

🔧 Temporary Workarounds

Disable polymorphic type handling

all

Disable default typing and avoid @JsonTypeInfo annotations in vulnerable configurations

Configure ObjectMapper with disableDefaultTyping()

Block JNDI connections

all

Configure JVM to disable JNDI lookups from untrusted sources

-Dcom.sun.jndi.ldap.object.trustURLCodebase=false
-Dcom.sun.jndi.rmi.object.trustURLCodebase=false

🧯 If You Can't Patch

Implement strict input validation and sanitization for all JSON inputs
Use allow-listing for deserialization classes instead of block-listing

🔍 How to Verify

Check if Vulnerable:

Check pom.xml or build.gradle for jackson-databind version <2.9.10.5, or run: mvn dependency:tree | grep jackson-databind

Check Version:

mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databind

Verify Fix Applied:

Verify jackson-databind version is 2.9.10.5 or higher in dependency tree

📡 Detection & Monitoring

Log Indicators:

Unusual JNDI connection attempts
Exceptions related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
Stack traces containing deserialization errors

Network Indicators:

Unusual outbound LDAP/RMI connections from application servers
Large or malformed JSON payloads to API endpoints

SIEM Query:

source="application.logs" AND ("JNDIConnectionPool" OR "xalan2" OR "jackson.databind")

📊 Metadata

CVE ID: CVE-2020-14062

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: June 14, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/FasterXML/jackson-databind/issues/2704 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20200702-0003/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2704 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20200702-0003/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Agile Plm by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Communications Calendar Server by Oracle

Communications Contacts Server by Oracle

Communications Diameter Signaling Router by Oracle

Communications Element Manager by Oracle

Communications Evolved Communications Application Server by Oracle

Communications Session Report Manager by Oracle

Communications Session Route Manager by Oracle

Debian Linux by Debian

Jackson Databind by Fasterxml

Steelstore Cloud Integrated Storage by Netapp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable polymorphic type handling

Block JNDI connections

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities