About Jackson's new deserialization vulnerability

A deserialization vulnerability (2020-08-27) has occurred in Jackson-Databind. Vulnerability number is CVE-2020-24616, which affects the data level and is considered a high-risk vulnerability

Br.com.anteros :A new deserialization exploit chain exists in anteros-DBCP to bypass jackson-Databind blacklist restrictions, allowing remote attackers to cause remote code execution by sending a special request packet to a Web service interface that uses this component.

Affects version

Jackson – databind < 2.9.10.6

The Spring Boot version is affected

Jackson as Spring Boot built-in JSON parsing framework, as long as introduced

  <dependency>

    <groupId>org.springframework.boot</groupId>

    <artifactId>spring-boot-starter-web</artifactId>

  </dependency>

Copy the code

< spring Boot 2.1.10 > < Spring Boot 2.1.10 > < Spring Boot 2.1.10 > < Spring Boot 2.1.10 > < Spring Boot 2.1.10 >

How to repair

Jackson as a common JSON parser, this module is already built into most frameworks and it would be impractical to handle it through Exclusion each.

  <dependency>

   <groupId>org.springframework.boot</groupId>

   <artifactId>spring-boot-starter-web</artifactId>

   <exclusions>

    <exclusion>

     <artifactId>jackson-databind</artifactId>

     <groupId>com.fasterxml.jackson.core</groupId>

    </exclusion>

   </exclusions>

  </dependency>



  <dependency>

   <groupId>com.xkcoding.nacos</groupId>

   <artifactId>nacos-config</artifactId>

   <version>1.1.4</version>

   <exclusions>

    <exclusion>

     <artifactId>jackson-databind</artifactId>

     <groupId>com.fasterxml.jackson.core</groupId>

    </exclusion>

   </exclusions>

  </dependency>

Copy the code

The easiest way to do this is to add a version designation to the root POM’s dependencyManagement node, and all Jackson versions introduced in reference packages will be consistent with this version

<dependencyManagement>

  <dependencies>

    <dependency>

      <artifactId>jackson-databind</artifactId>

      <groupId>com.fasterxml.jackson.core</groupId>

      <version>2.9.10.6</version>

    </dependency>

  </dependencies>

</dependencyManagement>

Copy the code

conclusion

Don’t panic, Pig4Cloud [1] does not have dynamic typing enabled by default, and Spring Cache [2] does not use Jackson serialization.

If your redis uses Jackson serialization and is injected with a global ObjectMapper, please note that use a copy such as mica-redis[3] to avoid unsafe contamination of the global ObjectMapper.

Later we will translate two articles by Jackson authors to give you an in-depth look at Jackson dynamic typing and security mechanisms. You should also know why, otherwise there will be a vulnerability in which JSON tool configuration is not correct.

The resources

[1]

pig4cloud: https://gitee.com/log4j/pig

[2]

spring cache: https://gitee.com/log4j/pig/pulls/63

[3]

mica-redis: https://gitee.com/596392912/mica

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

About Jackson’s new deserialization vulnerability

Affects version

The Spring Boot version is affected

How to repair

conclusion

The resources

About Jackson’s new deserialization vulnerability

Affects version

The Spring Boot version is affected

How to repair

conclusion

The resources

Related Posts

Distributed System Design Pattern – Segmented Log (Segmented Log)

What should I do if a Java crawler encounters a web site that I need to log in to?

A thread pool with a return value