CVE-2020-36185
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing to execute arbitrary code on affected systems. Any application using vulnerable versions of jackson-databind with default or unsafe configurations is affected.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind for JSON processing
- Apache Tomcat with DBCP2
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Policy Management by Oracle
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Documaker by Oracle
Documaker by Oracle
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to run arbitrary commands, install malware, or exfiltrate sensitive data.
If Mitigated
Limited impact if proper input validation and deserialization controls are implemented, potentially reduced to denial of service.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON payloads to vulnerable endpoints. Attack complexity is reduced when default typing is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.8 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2998
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.8 or later. 2. Update Maven/Gradle dependencies accordingly. 3. Restart affected applications. 4. Verify the update by checking the version in use.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling and default typing in Jackson ObjectMapper configuration
ObjectMapper mapper = new ObjectMapper();
mapper.activateDefaultTyping(null); // Disable default typing
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
Block dangerous classes
allConfigure Jackson to block deserialization of dangerous gadget classes
SimpleModule module = new SimpleModule();
module.setDeserializerModifier(new BeanDeserializerModifier() {
@Override
public JsonDeserializer<?> modifyDeserializer(...) {
// Add class blocking logic
}
});
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Use network segmentation to isolate vulnerable systems and limit attack surface
🔍 How to Verify
Check if Vulnerable:
Check pom.xml or build.gradle for jackson-databind version. Run: mvn dependency:tree | grep jackson-databind or gradle dependencies | grep jackson-databindCheck Version:
java -cp "path/to/jackson-databind.jar" com.fasterxml.jackson.databind.ObjectMapper | grep versionVerify Fix Applied:
Verify the version is 2.9.10.8 or higher. Check application logs for successful startup with updated version.📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Stack traces containing org.apache.tomcat.dbcp
- Unexpected class loading attempts
Network Indicators:
- Large or malformed JSON payloads to API endpoints
- Requests containing serialized object patterns
SIEM Query:
source="application.logs" AND ("jackson" OR "deserialization") AND (error OR exception)🔗 References
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2998
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2998
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
