New vulnerabilities in jackson-databind

The jackson-databind saga continues and today 4 new vulnerabilities have made their way into the NVD database. Still not “officially” confirmed, they are there to stay, as you can probably guess looking at the project bug report:

  • CVE-2018-14718: remote code execution via slf4j-ext
  • CVE-2018-14719: remote code execution via blaze-ds-opt
  • CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK versions)
  • CVE-2018-14721: exfiltration/SSRF with axis2-jaxws

Things are becoming quite tricky as the project is trying to keep up with four different main codebases (2.6.x, 2.7.x, 2.8.x, 2.9.x) plus the new development in progress. This is all about the ability to use the deserialisation mechanism of Jackson in order to perform mischiefs using, in a very creative way, some standard classes (see an example exploit documented a while ago on my personal blog) and all due to a blacklisting mechanism that continues to require updates.

You can also read a full account of the problem here, but for the time being, I would suggest using Gson instead, at least until a 3.x version of Jackson is out.

New vulnerabilities in jackson-databind

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s