CVE-2020-24616

Q: What is the severity of CVE-2020-24616?

CVE-2020-24616 has a CVSS score of 8.1 (HIGH). This is a deserialization vulnerability in FasterXML jackson-databind that allows remote code execution when processing untrusted JSON data. It affects applications using jackson-databind 2.x before 2.9.10.6 with default polymorphic typing enabled and the Anteros-DBCP library in classpath.

8.1 HIGH

Remote Code Execution Deserialization

📋 TL;DR

This is a deserialization vulnerability in FasterXML jackson-databind that allows remote code execution when processing untrusted JSON data. It affects applications using jackson-databind 2.x before 2.9.10.6 with default polymorphic typing enabled and the Anteros-DBCP library in classpath.

💻 Affected Systems

Products:

FasterXML jackson-databind
Applications using jackson-databind with Anteros-DBCP

Versions: 2.x before 2.9.10.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires polymorphic typing enabled (defaultObjectMapper.enableDefaultTyping() or similar) and Anteros-DBCP library in classpath.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application, potentially leading to complete system compromise.

🟠

Likely Case

Remote code execution allowing attackers to execute arbitrary commands on the server.

🟢

If Mitigated

No impact if polymorphic typing is disabled or untrusted data is not processed.

🌐 Internet-Facing: HIGH - Internet-facing applications processing JSON from untrusted sources are highly vulnerable.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited through compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward when conditions are met. Multiple public PoCs exist demonstrating RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.10.6 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2814

Restart Required: Yes

Instructions:

1. Update jackson-databind to version 2.9.10.6 or later. 2. Update dependencies in your build system (Maven, Gradle, etc.). 3. Rebuild and redeploy your application. 4. Restart affected services.

🔧 Temporary Workarounds

Disable polymorphic typing

all

Disable default typing features if not required for your application.

ObjectMapper mapper = new ObjectMapper(); // Do NOT call enableDefaultTyping()

Block Anteros-DBCP class

all

Add AnterosDBCPDataSource to the default deny list in jackson-databind.

System.setProperty("com.fasterxml.jackson.databind.type.mapping", "br.com.anteros.dbcp.AnterosDBCPDataSource")

🧯 If You Can't Patch

Disable polymorphic typing in ObjectMapper configuration
Implement input validation and sanitization for all JSON inputs

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency tree for jackson-databind versions before 2.9.10.6 and presence of Anteros-DBCP library.

Check Version:

mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databind

Verify Fix Applied:

Verify jackson-databind version is 2.9.10.6 or later in your dependencies and no vulnerable configurations exist.

📡 Detection & Monitoring

Log Indicators:

Unexpected deserialization errors
ClassNotFoundExceptions for AnterosDBCPDataSource
Unusual process spawning

Network Indicators:

Malformed JSON payloads containing serialized gadget chains
Unexpected outbound connections from application

SIEM Query:

source="application.logs" AND ("AnterosDBCPDataSource" OR "jackson.databind" AND error)

📊 Metadata

CVE ID: CVE-2020-24616

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: August 25, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/FasterXML/jackson-databind/issues/2814 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20200904-0006/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2814 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20200904-0006/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Agile Plm by Oracle

Application Testing Suite by Oracle

Autovue For Agile Product Lifecycle Management by Oracle

Banking Liquidity Management by Oracle

Banking Liquidity Management by Oracle

Banking Liquidity Management by Oracle

Banking Supply Chain Finance by Oracle

Banking Supply Chain Finance by Oracle

Banking Supply Chain Finance by Oracle

Blockchain Platform by Oracle

Communications Calendar Server by Oracle

Communications Calendar Server by Oracle

Communications Cloud Native Core Unified Data Repository by Oracle

Communications Contacts Server by Oracle

Communications Contacts Server by Oracle

Communications Diameter Signaling Router by Oracle

Communications Element Manager by Oracle

Communications Evolved Communications Application Server by Oracle

Communications Instant Messaging Server by Oracle

Communications Messaging Server by Oracle

Communications Offline Mediation Controller by Oracle

Communications Policy Management by Oracle

Communications Pricing Design Center by Oracle

Communications Services Gatekeeper by Oracle

Communications Session Report Manager by Oracle

Communications Unified Inventory Management by Oracle

Debian Linux by Debian

Identity Manager Connector by Oracle

Jackson Databind by Fasterxml

Siebel Ui Framework by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable polymorphic typing

Block Anteros-DBCP class

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities