Jackson-Databind Deserialization Remote Code Execution Vulnerability (CVE-2020-36189 and CVE-2020-36179)
Jan 11, 2021 GMT+08:00
Jackson has officially released a security notice about the deserialization remote code execution vulnerability (CVE-2020-36189 and CVE-2020-36179) in jackson-databind versions earlier than 18.104.22.168. These vulnerabilities are caused by the insecure deserialization of the oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS and com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource components. As a result, attackers can exploit these vulnerabilities to remotely execute code.
If you are a jackson-databind user, check your service and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
jackson-databind versions earlier than 22.214.171.124
jackson-databind 126.96.36.199 and later versions
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
Download address: https://github.com/FasterXML/jackson-databind/releases
HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.