I. Overview

It is disclosed that a deserialization remote code execution vulnerability (CVE-2020-8840) exists in jackson-databind 2.0.0 through 2.9.10.2. FasterXML Jackson is a Java-based data processing tool developed by FasterXML. The jackson-databind is a core component with data-binding functionality. Due to the lack of certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter, attackers can exploit JNDI injections to remotely execute code.

Therefore, we kindly remind jackson-databind users to arrange inspection and implement timely security hardening.

Reference link:

https://github.com/FasterXML/jackson-databind/issues/2620#

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

FasterXML jackson-databind 2.0.0 through 2.9.10.2

Secure Versions:

jackson-databind 2.8.11.5 and later 2.8 series

jackson-databind 2.9.10.3 and later 2.9 series

jackson-databind 2.10 series

IV. Vulnerability Inspection and Handling

Vulnerability inspection (if the following three conditions are met, your system is affected by the vulnerability):

a. The jackson-databind version falls into the affected range.

b. enableDefaultTyping() is enabled, which should be disabled by default.

c. The xbean-reflect library is in use.

Vulnerability handling:

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Download address: https://github.com/FasterXML/jackson-databind/releases

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.