CVE-2020-36183
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code. Systems using jackson-databind 2.x with default polymorphic typing enabled are affected.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON processing
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Policy Management by Oracle
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Documaker by Oracle
Documaker by Oracle
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution with the privileges of the application process, potentially allowing data access and further exploitation.
If Mitigated
Denial of service or limited information disclosure if proper input validation and sandboxing are in place.
🎯 Exploit Status
Exploitation requires specific conditions but has been demonstrated in proof-of-concept code. The vulnerability leverages known gadget chains.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.8 or later (2.10.x and 2.11.x also have fixes)
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/3003
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.8 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable polymorphic typing
allDisable default typing features that enable polymorphic deserialization
// In Java code: objectMapper.disableDefaultTyping();
// Or configure to use safer typing modes
Block dangerous classes
allUse Jackson's class blacklisting feature to block vulnerable classes
objectMapper.addMixIn(Object.class, MyMixInForIgnoreType.class);
// Configure in application properties or programmatically
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Use network segmentation to isolate vulnerable systems and limit attack surface
🔍 How to Verify
Check if Vulnerable:
Check pom.xml, build.gradle, or dependency manifest for jackson-databind version. Use: mvn dependency:tree | grep jackson-databind or gradle dependencies | grep jackson-databindCheck Version:
mvn dependency:tree | grep jackson-databind || gradle dependencies | grep jackson-databind || java -cp "*" com.fasterxml.jackson.databind.ObjectMapper --versionVerify Fix Applied:
Verify version is 2.9.10.8 or higher. Check that application still functions correctly with JSON processing.📡 Detection & Monitoring
Log Indicators:
- Unexpected ClassNotFoundException or NoClassDefFoundError for JNDIConnectionPool or related classes
- Unusual outbound network connections to LDAP/JNDI servers
- Stack traces containing org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool
Network Indicators:
- Outbound LDAP connections from application servers to untrusted sources
- Unusual JNDI lookup patterns in network traffic
SIEM Query:
source="application.logs" AND ("JNDIConnectionPool" OR "ClassNotFoundException" OR "NoClassDefFoundError")🔗 References
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/3003
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/3003
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
