CVE-2020-35728
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code on affected systems. Any application using vulnerable versions of jackson-databind with default or polymorphic typing enabled is at risk.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON processing
- Oracle WebLogic Server
- Various Java applications with embedded Xalan
📦 What is this software?
Agile Plm by Oracle
Autovue by Oracle
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Policy Management by Oracle
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to run arbitrary commands, install malware, or exfiltrate sensitive data.
If Mitigated
Limited impact if proper input validation, deserialization controls, and network segmentation are implemented.
🎯 Exploit Status
Exploit requires sending specially crafted JSON payloads to vulnerable endpoints; multiple public PoCs exist demonstrating the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: jackson-databind 2.9.10.8 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2999
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.8 or later. 2. Update Maven/Gradle dependencies accordingly. 3. Rebuild and redeploy affected applications. 4. Restart application servers.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling in Jackson ObjectMapper configuration
ObjectMapper mapper = new ObjectMapper();
mapper.deactivateDefaultTyping();
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
Block JNDIConnectionPool class
allAdd JNDIConnectionPool to the default typing blacklist
SimpleModule module = new SimpleModule();
module.addDeserializer(Object.class, new BlacklistDeserializer());
// Add com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool to blacklist
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Use network segmentation to isolate vulnerable applications from critical systems
- Deploy WAF rules to block malicious JSON payloads
- Monitor for unusual deserialization patterns and failed JSON parsing
🔍 How to Verify
Check if Vulnerable:
Check pom.xml or build.gradle for jackson-databind version <2.9.10.8, or run: java -cp jackson-databind-*.jar com.fasterxml.jackson.databind.ObjectMapper --versionCheck Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.8 or higher in dependencies, test JSON deserialization with known malicious payloads📡 Detection & Monitoring
Log Indicators:
- Failed JSON deserialization attempts
- Unusual class loading patterns
- JNDI lookup attempts in logs
- Stack traces containing JNDIConnectionPool or related classes
Network Indicators:
- Unusual JSON payloads with type information
- Requests containing polymorphic type indicators
- Outbound LDAP/JNDI connections from application servers
SIEM Query:
source="application.logs" AND ("JNDIConnectionPool" OR "com.oracle.wls.shaded" OR "DefaultTyping" OR "PolymorphicTypeValidator")🔗 References
- https://github.com/FasterXML/jackson-databind/issues/2999
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20210129-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/FasterXML/jackson-databind/issues/2999
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20210129-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
