CVE-2020-36187
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. It affects applications using Jackson 2.x with default typing enabled that process external input. Attackers can exploit this to execute arbitrary code on vulnerable systems.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using Jackson for JSON processing
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Signaling Route by Oracle
View all CVEs affecting Communications Diameter Signaling Route →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Policy Management by Oracle
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Documaker by Oracle
Documaker by Oracle
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution resulting in application compromise, data exfiltration, and potential privilege escalation.
If Mitigated
Limited impact if proper input validation and deserialization controls are implemented, potentially reduced to denial of service.
🎯 Exploit Status
Exploitation requires specific conditions but has been demonstrated in proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.8 or later (2.10.x, 2.11.x, 2.12.x)
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2997
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.8 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling in Jackson ObjectMapper configuration
// Java code: objectMapper.disableDefaultTyping();
// Or avoid using enableDefaultTyping() methods
Use safe typing configuration
allConfigure ObjectMapper with explicit safe typing using @JsonTypeInfo annotations
// Use @JsonTypeInfo with explicit type names instead of default typing
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Use security controls like application firewalls to block malicious payloads
🔍 How to Verify
Check if Vulnerable:
Check Maven/Gradle dependencies for jackson-databind version <2.9.10.8 and verify if default typing is enabled in code.Check Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.8 or higher in dependency files and deployed artifacts.📡 Detection & Monitoring
Log Indicators:
- Unusual Java class loading errors
- Unexpected deserialization exceptions
- Suspicious network connections after JSON processing
Network Indicators:
- HTTP requests with crafted JSON payloads containing class names
- Outbound connections to unexpected destinations after JSON processing
SIEM Query:
source="application.log" AND ("ClassNotFoundException" OR "NoClassDefFoundError") AND "jackson"🔗 References
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2997
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2997
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
