Jackson-Databind Deserialization Remote Code Execution Vulnerability (CVE-2020-36189 and CVE-2020-36179)

Jan 11, 2021 GMT+08:00

I. Overview

Jackson has officially released a security notice about the deserialization remote code execution vulnerability (CVE-2020-36189 and CVE-2020-36179) in jackson-databind versions earlier than 2.9.10.8. These vulnerabilities are caused by the insecure deserialization of the oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS and com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource components. As a result, attackers can exploit these vulnerabilities to remotely execute code.

If you are a jackson-databind user, check your service and implement timely security hardening.

References:

https://github.com/FasterXML/jackson-databind/issues/3004

https://github.com/FasterXML/jackson-databind/issues/2996

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

jackson-databind versions earlier than 2.9.10.8

Secure versions:

jackson-databind 2.9.10.8 and later versions

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

Download address: https://github.com/FasterXML/jackson-databind/releases

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.