Introduction to FasterXML Jackson
FasterXML Jackson is a data processing tool built for Java from an American company FasterXML. Jackson-databind is one of its components with data binding. The component can convert Java objects to json objects, as well as converting json to Java objects.

Vulnerability description
NVD released information about FasterXML Jackson-databind remote code execution vulnerability on March 2, 2020 with CVE number: CVE-2020-9548. The vulnerability is caused by JNDI injection, which leads to remote code execution. Jackson-databind version 2.0.0 - lack the blacklist. Attackers can use flaws to bypass restrictions, perform JNDI injection, then execute arbitrary code on the infected host eventually.

Taking Jackson-databind 2.10.1 + Anteros-DBCP-1.0.1 + metrics-healthchecks-3.0.2 as the vulnerability environment for analysis, Jackson-databind will perform internal initialization. After that, we will process the json data we passed in. The vulnerability mainly exists in the class in the Anteros-DBCP library Let's track the process of exploiting the vulnerability. When Jackson-databind receives a piece of json data, it will parse the Json data in the ReaderBasedJsonParser class and check the character one by one. As shown below:

We use double quotes to determine the start and end of the field name. The class obtained by parsing the json data will be instantiated in the call method, and the internal member variables will be initialized when the constructor is called.
We obtain the field names in the incoming json data, and assign values to internal attributes through deserialization.

We call methods in the class through reflection. When the getObjectOrPerformJndiLookup method in the class is executed , the victim host will access the malicious link passed by the attacker and load a malicious file, thereby triggering a remote code execution attack. It has been verified that both the metricRegistry and healthCheckRegistry attributes can be used to exploit the vulnerability.

We set up Jackson-databind 2.10.1 + Anteros-DBCP-1.0.1 + metrics-healthchecks-3.0.2 environment, pass in specially constructed json data, and let the target server load malicious files on the remote host to execute arbitrary code on the host. as shown in figure:

Affected Versions:
Jackson-databind 2.0.0 -

Mar 2, 2020 Sangfor FarSight Labs detected FasterXML Jackson-databind remote code execution vulnerability CVE-2020-9548.

Mar 4, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.


Remediation Solution
The official has fixed this vulnerability. Please visit the following link to download the latest version:

Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Cybersecurity Awareness Month CSAM 2023: Key Strategies

Date : 15 Sep 2023
Read Now

Cyber Security

Dallas Ransomware Attack Affects 30,253 People

Date : 29 Aug 2023
Read Now

Cyber Security

Rhysida Ransomware: Everything You Need to Know

Date : 17 Aug 2023
Read Now

See Other Product

Best Darktrace Competitors and Alternatives in 2023
Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
icon notification