CVE-2020-36189
📋 TL;DR
This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code on affected systems. Applications using jackson-databind for JSON processing with polymorphic type handling enabled are vulnerable.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind library
📦 What is this software?
Agile Plm by Oracle
Autovue For Agile Product Lifecycle Management by Oracle
View all CVEs affecting Autovue For Agile Product Lifecycle Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Evolved Communications Application Server by Oracle
View all CVEs affecting Communications Evolved Communications Application Server →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Interactive Session Recorder by Oracle
View all CVEs affecting Communications Interactive Session Recorder →
Communications Interactive Session Recorder by Oracle
View all CVEs affecting Communications Interactive Session Recorder →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Documaker by Oracle
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to run arbitrary commands, install malware, or pivot to other systems.
If Mitigated
Denial of service or application crash if exploitation attempts are blocked by security controls.
🎯 Exploit Status
Exploitation requires the application to deserialize untrusted JSON with polymorphic type handling enabled. The specific gadget chain involves com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10.8 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2996
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.10.8 or later. 2. Update pom.xml or build.gradle to reference the patched version. 3. Rebuild and redeploy the application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable default typing
allDisable polymorphic type handling (default typing) in ObjectMapper configuration
ObjectMapper mapper = new ObjectMapper();
mapper.activateDefaultTyping(null); // Disable default typing
Block specific classes
allAdd com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource to denylist
SimpleModule module = new SimpleModule();
module.setMixInAnnotation(DriverManagerConnectionSource.class, NoClass.class);
🧯 If You Can't Patch
- Disable default typing in ObjectMapper configuration
- Implement input validation and sanitization for JSON deserialization
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for jackson-databind version 2.x < 2.9.10.8Check Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.10.8 or higher in dependencies📡 Detection & Monitoring
Log Indicators:
- Java exceptions related to deserialization
- ClassNotFoundExceptions for suspicious classes
- Unexpected process execution
Network Indicators:
- Unusual outbound connections from application servers
- HTTP requests with malicious JSON payloads
SIEM Query:
source="application.logs" AND ("com.newrelic.agent.deps" OR "DriverManagerConnectionSource" OR "jackson.databind")🔗 References
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2996
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2996
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210205-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
