Vulnerability Focus: Java

Attention, fellow AppSec comrades! This blog post shines a spotlight on open source vulnerabilities in the Java universe. In particular, it has come to our awareness that the jackson-databind serialisation library, which parses Java objects to JSON and vice versa, has taken big hits over the past few weeks. To better enlighten our readers, we took an in-depth look into the origins of its (de)serialisation flaws.

  • CVE-2019-12384 A flaw in the serialisation process of FasterXML jackson-databind 2.x before 2.9.9.1  could lead to remote code execution. Read why
  • CVE-2019-14379 Hackers could exploit an invalid object-class for pre-2.9.9.2 versions of jackson-databind to gain remote access and control. Read why

CVE-2019-12384

Vulnerability Score: 5.9

Platform: Java

Component: jackson-databind 

Affected versions: FasterXML jackson-databind 2.x before 2.9.9.1 

Here is an interesting one! An open source vulnerability has been found in Jackson, more specifically in jackson-databind. Jackson is a widely-used Java-based library that supports serialization of Java Objects to JSON to enable objects to travel across a network.

A little befuddled? Think of two machines that speak entirely different mother tongues, and decisively pick up another shared language to enable seamless communication between each other. In this context, the act of translating the additional language stands in for the serialization process, whereby the translation process parses the mother tongue (Java Objects) of first machine (X) to a common language (JSON) that is also understood by the second machine (Y).

The root of this vulnerability is that jackson-databind, under certain conditions, blindly deserializes everything in its path. This then gives rise to exploitation opportunities for malicious third-party attackers to substitute valid object-classes with unvalidated ones. As a result, this then enables these hackers  to send specifically crafted JSON messages which could then lead to privilege escalation issues and arbitrary code execution  (ACE) attacks.

Although patches for this security flaw have been published for various softwares (RedHat, Debian 8 ‘Jessie’),  these solutions are not sustainable fix-alls. The existing solution for this vulnerability is essentially manually blacklisting invalid object-classes that can easily be exploited by third-party attackers. Nonetheless, unvalidated object-classes are popping up like hotcakes, and the maintainers of said blacklist are playing a risky game of whack-a-mole, and it is just too time-consuming to continuously add exploitable classes to a list.

Nonetheless, until a more comprehensive solution has been discovered to effectively combat against these loopholes, you had better perform an update on your jackson-databind library to ensure you are well-protected against the blacklisted attack vectors and such known vulnerabilities!

To find out more about jackson-databind exploits, click here.

CVE-2019-14379

Vulnerability Score: TBD

Component: jackson-databind

Affected versions:  2.x versions before  2.9.9.2 

Here’s another testament to the inefficiency of the blacklist measure to protect users of jackson-databind against arbitrary code execution attacks – another invalid object-class, the SubTypeValidator.java, has yet again appeared on our radar.

As explained under the aforementioned Jackson vulnerability that affected FasterXML jackson-databind versions 2.x (all versions up to 2.9.9), this data-binding library has the potential to deserialize any object-classes in its path under certain conditions. This is a result of default-typing which allows jackson-databind users to  deserialize object-classes without specifying the full possible type hierarchy. And herein the default-typing feature lies the flaw of this open source vulnerability.

In this context, where the security flaw affects the more recent version FasterXML jackson-databind 2.9.9.2, remote code execution could be triggered if a hacker inputs the unsanitized SubTypeValidator.java object-class under the default-typing mechanism, when it is used in conjunction with Ecache (Java’s most widely-used cache).

This could potentially result in security breaches  where hackers are able to send specific and malicious JSON messages resulting in unauthorised root access and control. We strongly advise that you upgrade to version 2.9.9.2 or higher at the soonest!

With jackson-databind being a highly popular serialisation gadget in the DevOps community, such exposures should be effectively nipped in the bud to prevent further compromises to its library, as well as waste of resources rolling out patched updates on every vulnerable version. A frequent user of jackson-databind? What are you waiting for?

Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Java

Vulnerability Focus: .NET

Image of thief climbing out of laptop shining flashlight on .net icon, titled Vulnerability Focus: .NET

In the wake of the massive Capital One data breach incited by a misconfigured web app firewall, we are throwing in a .NET open source library vulnerability that demonstrates the pervasiveness of privilege escalation attacks across web apps for good measure.

CVE-2019-1010199

Vulnerability Score: Medium — 6.1 (CVSS v3.0)

Platform: .NET 

Component: ServiceStack 

Affected versions: 4.5.14

It is a perilous time for ServiceStack users, a widely-used .NET based library.
The problem lies with the ServiceStack ecosystem, where a JavaScript-based Cross-Site Scripting (XSS) vulnerability could allow attackers to inject client-side code or scripts into web browsers viewed by other users. This means that said script is activated when it is read by an unsuspecting user’s web browser or web application. The web page or application then acts as an attack vector that delivers the malicious script to the user’s browser.

A web page or application is made vulnerable to XSS if it executes unsanitized user input for web servers to generate output – this user input must then be parsed by the victim’s browser to potentially compromise the system. We will note that though XSS attacks are possible across many languages (e.g. VBScript, ActiveX, Flash, CSS), they are, however, most common in JavaScript (as with this vulnerability) as this language is most commonly used as a client-side scripting language to support a bulk of web browsing experiences. 

In the context of this vulnerability within ServiceStack Framework 4.5.14, the flawed component is the query code used to execute the GET request. And with the web browser’s lack of server-side validation serving as the attack vector, this means that browser encoding is bypassed which could then compromise unsuspecting users’ browsers upon opening a crafted URL. The resulting impact is that a potentially malicious JavaScript code (aka unsanitized user input) would be reflected in the server response during execution for web browser output generation.

Such cross-site scripting vulnerabilities are often used by attackers for privilege escalation issues, especially to bypass access controls when two web pages are of the same origin (i.e. two URLs sharing the same protocol, port (if specified), and host).

This unauthorised access could then lead to security breaches such as data theft and password dumping. It is thus imperative that affected frameworks immediately download the patched version in 5.2 or later to avoid sensitive data violations.

With JavaScript being a key programming language that supports web development, it is imperative that we keep our guard up against unwanted intrusions to ensure seamless and secure provision of web services. We certainly hope this detailed analysis of this .NET vulnerability has galvanized you into taking active measures to avoid systemic data breaches. Until next time!

Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: .NET