CVE-2020-35491
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code on affected systems. Any application using vulnerable versions of jackson-databind with default or permissive deserialization settings is affected.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON processing
- Apache Commons DBCP2
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Documaker by Oracle
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Application compromise allowing attackers to execute arbitrary code within the application context, potentially accessing sensitive data or disrupting services.
If Mitigated
Limited impact if proper input validation and deserialization controls are in place, potentially resulting in denial of service at worst.
🎯 Exploit Status
Exploitation requires specific conditions but has been demonstrated in proof-of-concept code. The vulnerability leverages known gadget chains.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.8 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2986
Restart Required: Yes
Instructions:
1. Identify all applications using jackson-databind. 2. Update jackson-databind dependency to version 2.9.10.8 or later. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated libraries.
🔧 Temporary Workarounds
Disable default typing
allConfigure Jackson ObjectMapper to disable default typing and polymorphic type handling features
ObjectMapper mapper = new ObjectMapper();
mapper.deactivateDefaultTyping();
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
Block dangerous classes
allUse Jackson's SubTypeValidator to block deserialization of dangerous classes
SimpleModule module = new SimpleModule();
module.setMixInAnnotation(SharedPoolDataSource.class, NoClass.class);
mapper.registerModule(module);
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Deploy network segmentation and application firewalls to restrict access to vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check Maven/Gradle dependencies for jackson-databind version <2.9.10.8. Review application configuration for default typing or polymorphic type handling.Check Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.8 or later in dependency files and runtime classpath. Test deserialization with known malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Stack traces containing SharedPoolDataSource or related classes
- Unexpected class loading
Network Indicators:
- Unusual JSON payloads with type information
- Requests attempting to trigger deserialization
SIEM Query:
source="application.logs" AND ("SharedPoolDataSource" OR "deserialization error" OR "ClassNotFoundException")🔗 References
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2986
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210122-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2986
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210122-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
