CVE-2020-36181
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code on affected systems. Any application using vulnerable versions of jackson-databind with default or polymorphic typing enabled is at risk.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON processing
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Policy Management by Oracle
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Documaker by Oracle
Documaker by Oracle
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing remote attackers to execute arbitrary code with application privileges, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution leading to application compromise, data exfiltration, or service disruption.
If Mitigated
Limited impact if proper input validation and deserialization controls are in place, potentially reduced to denial of service.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON payloads to endpoints that deserialize untrusted data with typing enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.8 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/3004
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.8 or later. 2. Update pom.xml or build.gradle to reference patched version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling in ObjectMapper configuration
ObjectMapper mapper = new ObjectMapper();
mapper.activateDefaultTyping(null);
Input validation
allImplement strict input validation and only deserialize trusted sources
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy web application firewall with JSON deserialization protection rules
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for jackson-databind version 2.x < 2.9.10.8Check Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.8 or higher in dependencies📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Unexpected class loading in logs
- Stack traces containing DriverAdapterCPDS or related classes
Network Indicators:
- Large JSON payloads to deserialization endpoints
- Requests with polymorphic type indicators
SIEM Query:
source="application.logs" AND ("DriverAdapterCPDS" OR "deserialization error" OR "ClassNotFoundException")🔗 References
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/3004
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/3004
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
