CVE-2020-28491 – This vulnerability in Jackson CBOR data format ... (How to Fix)

Q: What is the severity of CVE-2020-28491?

CVE-2020-28491 has a CVSS score of 7.5 (HIGH). This vulnerability in Jackson CBOR data format library allows attackers to cause denial of service through memory exhaustion by sending specially crafted CBOR data. It affects applications using vulnerable versions of com.fasterxml.jackson.dataformat:jackson-dataformat-cbor to parse untrusted CBOR input. The vulnerability can lead to application crashes and resource exhaustion.

📋 TL;DR

This vulnerability in Jackson CBOR data format library allows attackers to cause denial of service through memory exhaustion by sending specially crafted CBOR data. It affects applications using vulnerable versions of com.fasterxml.jackson.dataformat:jackson-dataformat-cbor to parse untrusted CBOR input. The vulnerability can lead to application crashes and resource exhaustion.

💻 Affected Systems

Products:

com.fasterxml.jackson.dataformat:jackson-dataformat-cbor

Versions: 0 to 2.11.3, 2.12.0-rc1 to 2.12.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when parsing untrusted CBOR data. Applications not using CBOR format or not parsing external input are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application outage due to OutOfMemoryError, potentially affecting multiple services in containerized environments where memory limits are shared.

🟠

Likely Case

Service disruption and denial of service for affected endpoints, requiring application restart to recover.

🟢

If Mitigated

Minimal impact with proper input validation, memory limits, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious CBOR data to vulnerable endpoints. Proof-of-concept available in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.4 or 2.12.1

Vendor Advisory: https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6

Restart Required: Yes

Instructions:

1. Update dependency to 2.11.4 or 2.12.1 in build configuration (pom.xml or build.gradle). 2. Rebuild and redeploy application. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement size limits on incoming CBOR data and validate input before parsing

Memory limit enforcement

all

Set JVM memory limits and container resource constraints to prevent system-wide impact

java -Xmx512m -jar yourapp.jar

🧯 If You Can't Patch

Disable CBOR parsing for untrusted sources or implement strict input validation
Implement circuit breakers and monitoring for memory usage spikes

🔍 How to Verify

Check if Vulnerable:

Check dependency version in pom.xml, build.gradle, or deployed JAR/WAR files for vulnerable versions

Check Version:

mvn dependency:tree | grep jackson-dataformat-cbor OR gradle dependencies | grep jackson-dataformat-cbor

Verify Fix Applied:

Verify updated dependency version in build files and confirm application uses patched version

📡 Detection & Monitoring

Log Indicators:

java.lang.OutOfMemoryError
High memory usage spikes
Application crashes during CBOR parsing

Network Indicators:

Unusually large CBOR payloads to application endpoints
Repeated connection attempts with CBOR data

SIEM Query:

source="application.logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError")

📊 Metadata

CVE ID: CVE-2020-28491

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 18, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6 Patch,Third Party Advisory
https://github.com/FasterXML/jackson-dataformats-binary/issues/186 Issue Tracking,Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329 Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6 Patch,Third Party Advisory
https://github.com/FasterXML/jackson-dataformats-binary/issues/186 Issue Tracking,Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329 Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28491, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Jackson Dataformats Binary by Fasterxml

Jackson Dataformats Binary by Fasterxml

Jackson Dataformats Binary by Fasterxml

Jackson Dataformats Binary by Fasterxml

Jackson Dataformats Binary by Fasterxml

Quarkus by Quarkus

Weblogic Server by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation and size limits

Memory limit enforcement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities