Attention, fellow AppSec comrades! This blog post shines a spotlight on open source vulnerabilities in the Java universe. In particular, it has come to our awareness that the jackson-databind serialisation library, which parses Java objects to JSON and vice versa, has taken big hits over the past few weeks. To better enlighten our readers, we took an in-depth look into the origins of its (de)serialisation flaws.
- CVE-2019-12384 A flaw in the serialisation process of FasterXML jackson-databind 2.x before 188.8.131.52 could lead to remote code execution. Read why
- CVE-2019-14379 Hackers could exploit an invalid object-class for pre-184.108.40.206 versions of jackson-databind to gain remote access and control. Read why
Vulnerability Score: 5.9
Affected versions: FasterXML jackson-databind 2.x before 220.127.116.11
Here is an interesting one! An open source vulnerability has been found in Jackson, more specifically in jackson-databind. Jackson is a widely-used Java-based library that supports serialization of Java Objects to JSON to enable objects to travel across a network.
A little befuddled? Think of two machines that speak entirely different mother tongues, and decisively pick up another shared language to enable seamless communication between each other. In this context, the act of translating the additional language stands in for the serialization process, whereby the translation process parses the mother tongue (Java Objects) of first machine (X) to a common language (JSON) that is also understood by the second machine (Y).
The root of this vulnerability is that jackson-databind, under certain conditions, blindly deserializes everything in its path. This then gives rise to exploitation opportunities for malicious third-party attackers to substitute valid object-classes with unvalidated ones. As a result, this then enables these hackers to send specifically crafted JSON messages which could then lead to privilege escalation issues and arbitrary code execution (ACE) attacks.
Although patches for this security flaw have been published for various softwares (RedHat, Debian 8 ‘Jessie’), these solutions are not sustainable fix-alls. The existing solution for this vulnerability is essentially manually blacklisting invalid object-classes that can easily be exploited by third-party attackers. Nonetheless, unvalidated object-classes are popping up like hotcakes, and the maintainers of said blacklist are playing a risky game of whack-a-mole, and it is just too time-consuming to continuously add exploitable classes to a list.
Nonetheless, until a more comprehensive solution has been discovered to effectively combat against these loopholes, you had better perform an update on your jackson-databind library to ensure you are well-protected against the blacklisted attack vectors and such known vulnerabilities!
To find out more about jackson-databind exploits, click here.
Vulnerability Score: TBD
Affected versions: 2.x versions before 18.104.22.168
Here’s another testament to the inefficiency of the blacklist measure to protect users of jackson-databind against arbitrary code execution attacks – another invalid object-class, the SubTypeValidator.java, has yet again appeared on our radar.
As explained under the aforementioned Jackson vulnerability that affected FasterXML jackson-databind versions 2.x (all versions up to 2.9.9), this data-binding library has the potential to deserialize any object-classes in its path under certain conditions. This is a result of default-typing which allows jackson-databind users to deserialize object-classes without specifying the full possible type hierarchy. And herein the default-typing feature lies the flaw of this open source vulnerability.
In this context, where the security flaw affects the more recent version FasterXML jackson-databind 22.214.171.124, remote code execution could be triggered if a hacker inputs the unsanitized SubTypeValidator.java object-class under the default-typing mechanism, when it is used in conjunction with Ecache (Java’s most widely-used cache).
This could potentially result in security breaches where hackers are able to send specific and malicious JSON messages resulting in unauthorised root access and control. We strongly advise that you upgrade to version 126.96.36.199 or higher at the soonest!
With jackson-databind being a highly popular serialisation gadget in the DevOps community, such exposures should be effectively nipped in the bud to prevent further compromises to its library, as well as waste of resources rolling out patched updates on every vulnerable version. A frequent user of jackson-databind? What are you waiting for?
Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free. See the risks immediately and know which components to remove or upgrade to secure your app.