CVE-2020-36180
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. It affects applications using jackson-databind 2.x before 2.9.10.8 with default polymorphic typing enabled. Attackers can exploit this by sending malicious JSON payloads to vulnerable endpoints.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON processing
- Apache Commons DBCP2 integration
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Policy Management by Oracle
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Documaker by Oracle
Documaker by Oracle
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution as the application user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution on the vulnerable application server, allowing attackers to execute arbitrary commands, access sensitive data, or disrupt services.
If Mitigated
Denial of service or application crash if exploitation attempts are blocked by security controls.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON to endpoints that deserialize untrusted data. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.8 or later (2.10.x, 2.11.x, 2.12.x)
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/3004
Restart Required: Yes
Instructions:
1. Identify all applications using jackson-databind. 2. Update jackson-databind dependency to version 2.9.10.8 or later. 3. For Maven: update pom.xml <jackson.version> property. 4. For Gradle: update build.gradle dependencies. 5. Rebuild and redeploy applications. 6. Restart affected services.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling in ObjectMapper configuration
ObjectMapper mapper = new ObjectMapper();
mapper.deactivateDefaultTyping();
Block dangerous classes
allUse SubTypeValidator to block deserialization of dangerous classes
SimpleModule module = new SimpleModule();
module.setMixInAnnotation(org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.class, NoClass.class);
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Use network segmentation and WAF rules to block malicious payloads containing DriverAdapterCPDS references
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for jackson-databind version <2.9.10.8. Review code for enableDefaultTyping() usage.Check Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.8 or later in dependency manifests and runtime classpath.📡 Detection & Monitoring
Log Indicators:
- Java stack traces containing DriverAdapterCPDS, ClassNotFoundException for gadget classes
- Unusual deserialization errors in application logs
Network Indicators:
- HTTP requests with JSON payloads containing DriverAdapterCPDS class references
- Unusual outbound connections from application servers
SIEM Query:
source="*app.log*" AND "DriverAdapterCPDS" OR source="*web.log*" AND "POST" AND "application/json" AND size>10000🔗 References
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/3004
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/3004
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
