CVE-2020-9547 Scanner

FasterXML jackson-databind is a popular library used for parsing JSON in Java applications. It is widely used by developers to handle and manipulate JSON data efficiently and is often integrated into various software projects for this purpose. The library facilitates the conversion of Java objects to JSON and vice-versa, making it suitable for applications that require complex data manipulation. Open-source projects and enterprise applications utilize jackson-databind for its robust features and ease of use. The library's extensive functionality is used to enable intercommunication between different software systems by serializing objects into a common format, JSON. Through its flexible API, users can customize JSON parsing and formatting to suit their specific needs.

The vulnerability present in FasterXML jackson-databind pertains to Remote Code Execution (RCE) through deserialization of untrusted data. Attackers can exploit this vulnerability by sending malicious JSON payloads that trigger undesirable code execution on the target system. The issue is particularly related to the improper handling of serialization gadgets when polymorphic type handling is enabled. This opens up the potential for arbitrary code execution through carefully crafted JSON objects that sidestep usual security checks. The flaw arises because objects created by deserializing certain configurations can execute unintended operations, leading to significant security risks. This vulnerability is rated as critical due to its potential impact and ease of exploitation.

Technical details of this vulnerability involve insecure deserialization processes when jackson-databind is used with certain serialization gadgets and typing arrangements. Specifically, when the library interacts with `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig`, it allows the inclusion of untrusted classes in JSON data, enabling remote code execution. Attackers can exploit `@JsonTypeInfo` with `use=JsonTypeInfo.Id.CLASS`, leading the library to instantiate arbitrary classes during the deserialization process. When such configurations are loaded, they can run malicious code embedded within, if precautionary configurations are not applied. This vulnerability is particularly exploitable when polymorphic type handling is not properly managed.

If exploited, this vulnerability could allow attackers to execute arbitrary code on the affected systems, potentially resulting in unauthorized system behavior. Severity arises from the potential takeover of affected applications or systems, facilitating further malicious activities such as data theft, corruption, or targeted attacks. Compromise through this vulnerability might enable attackers to manipulate application logic, cause denial of service, or install backdoors for persistent access. The risk associated with this vulnerability underscores the need for urgent software updates and adherence to safe deserialization practices. Properly addressing the vulnerability can mitigate the risk of significant security and operational repercussions.

REFERENCES

• https://github.com/fairyming/CVE-2020-9547
• https://github.com/FasterXML/jackson-databind/issues/2620
• https://nvd.nist.gov/vuln/detail/CVE-2020-9547