[PPP-5541] - Vulnerable Component: jackson-databind within htrace-core-3.1.0-incubating.jar #1548

soagarwal1 · 2025-01-23T07:02:22Z

No description provided.

NJtwentyone

two things:

Add these changes to the other shims that will be supported for 10.3 ie apache vanilla, emr700 etc...
frogbot is flagging org.apache.hive:hive-service which is package in our driver with vulnerabilities. Management needs to make a decision.

…e-3.1.0-incubating.jar

hitachivantarasonarqube · 2025-01-27T06:18:04Z

Analysis Details

0 Issues

0 Bugs
0 Vulnerabilities
0 Code Smells

Coverage and Duplications

No coverage information (0.00% Estimated after merge)
0.00% Duplicated Code (0.00% Estimated after merge)

Project ID: org.pentaho:pentaho-hadoop-shims

View in SonarQube

buildguy · 2025-01-27T07:17:35Z

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	[4.1.44.Final]	CVE-2019-20444
Critical	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	[4.1.44.Final]	CVE-2019-20445
Critical	org.apache.hive:hive-exec:3.1.3000.7.1.9.0-387 org.pentaho.hadoop.shims:pentaho-hadoop-shims-cdpdc71-driver:10.3.0.0-SNAPSHOT org.pentaho.hadoop.shims:pentaho-hadoop-shims-hdi40-driver:10.3.0.0-SNAPSHOT	org.apache.calcite:calcite-core 1.19.0.7.1.9.0-387	[1.32.0]	CVE-2022-39135
Critical	org.apache.hbase:hbase-mapreduce:2.6.1	org.apache.hadoop:hadoop-common 2.10.2	[3.2.3] [3.3.3]	CVE-2022-26612
Critical	org.apache.hive:hive-jdbc:3.1.3000.7.1.9.0-387	org.apache.hadoop:hadoop-yarn-server-resourcemanager 3.1.1.7.1.9.0-387	-	-
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-14892
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-14893
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-9547
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-9548
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-9546
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-8840
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-20330
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-17531
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-17267
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-16942
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-16943
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-14540
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-16335
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-14379
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.2] [1.9.13-cloudera.2]	CVE-2018-14718
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.2] [1.9.13-cloudera.2]	CVE-2018-14719
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.2] [1.9.13-cloudera.2]	CVE-2018-14720
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.2] [1.9.13-cloudera.2]	CVE-2018-14721
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.2] [1.9.13-cloudera.2]	CVE-2018-19360
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.2] [1.9.13-cloudera.2]	CVE-2018-19361
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.2] [1.9.13-cloudera.2]	CVE-2018-19362
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.1] [1.9.13-cloudera.1]	CVE-2018-7489
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.1] [1.9.13-cloudera.1]	CVE-2017-15095
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.1] [1.9.13-cloudera.1]	CVE-2017-17485
Critical	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.1] [1.9.13-cloudera.1]	CVE-2017-7525
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	-	CVE-2019-10172
High	org.apache.hive:hive-service:3.1.3000.7.1.9.0-387 org.pentaho.hadoop.shims:pentaho-hadoop-shims-cdpdc71-driver:10.3.0.0-SNAPSHOT org.pentaho.hadoop.shims:pentaho-hadoop-shims-hdi40-driver:10.3.0.0-SNAPSHOT	org.apache.hive:hive-service 3.1.3000.7.1.9.0-387	[4.0.0]	CVE-2024-23945
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	-	CVE-2019-10202
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-11619
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-11620
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-10673
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-14439
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-12086
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.1] [1.9.13-cloudera.1]	CVE-2018-5968
High	org.apache.hive:hive-exec:3.1.3000.7.1.9.0-387	org.apache.ivy:ivy 2.5.1	[2.5.2]	CVE-2022-46751
High	org.apache.hbase:hbase-mapreduce:2.6.1	com.fasterxml.woodstox:woodstox-core 5.3.0	[5.4.0] [6.4.0]	CVE-2022-40152
High	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	-	CVE-2021-37136
High	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	-	CVE-2021-37137
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2021-20190
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36188
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36189
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36183
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36184
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36185
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36186
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36187
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36179
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36180
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36181
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-36182
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-35490
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-35491
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-25649
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-24750
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-24616
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-14195
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-14060
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-14061
High	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2020-14062
Medium	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	-	CVE-2021-43797
Medium	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	-	CVE-2021-21409
Medium	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	-	CVE-2021-21295
Medium	org.apache.hive:hive-exec:3.1.3000.7.1.9.0-387 org.pentaho.hadoop.shims:pentaho-hadoop-shims-cdpdc71-driver:10.3.0.0-SNAPSHOT org.pentaho.hadoop.shims:pentaho-hadoop-shims-hdi40-driver:10.3.0.0-SNAPSHOT	org.apache.calcite:calcite-core 1.19.0.7.1.9.0-387	[1.26.0]	CVE-2020-13955
Medium	org.pentaho.hadoop.shims:pentaho-hadoop-shims-hdi40-driver:10.3.0.0-SNAPSHOT org.apache.hive:hive-exec:3.1.3000.7.1.9.0-387 org.pentaho.hadoop.shims:pentaho-hadoop-shims-cdpdc71-driver:10.3.0.0-SNAPSHOT	org.apache.calcite:calcite-druid 1.19.0.7.1.9.0-387	[1.26.0]	CVE-2020-13955
Medium	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-12384
Medium	org.apache.hive:hive-shims:3.1.3	org.codehaus.jackson:jackson-mapper-asl 1.9.2	[1.8.10-cloudera.3] [1.9.13-cloudera.3]	CVE-2019-12814
Medium	org.apache.hbase:hbase-mapreduce:2.6.1	io.netty:netty 3.10.6.Final	-	CVE-2021-21290
Low	org.apache.hbase:hbase-mapreduce:2.6.1	org.apache.hadoop:hadoop-common 2.10.2	[3.4.0]	CVE-2024-23454

Note:

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

🐸 JFrog Frogbot

buildguy · 2025-01-27T07:17:36Z

🔬 Research Details

[ CVE-2019-20444 ] io.netty:netty 3.10.6.Final

Description:
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

[ CVE-2019-20445 ] io.netty:netty 3.10.6.Final

Description:
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

[ CVE-2022-39135 ] org.apache.calcite:calcite-core 1.19.0.7.1.9.0-387

Description:
Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

[ CVE-2022-26612 ] org.apache.hadoop:hadoop-common 2.10.2

Description:
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

[ XRAY-138169 ] org.apache.hadoop:hadoop-yarn-server-resourcemanager 3.1.1.7.1.9.0-387

Description:
Missing access check before getAppAttempts

[ CVE-2019-14892 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the org.apache.commons.configuration.JNDIConfiguration gadget in commons-configuration might allow remote code execution but this is nontrivial and has never been proven publicly, thus the real-world impact is uncertain.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes commons-configuration in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove commons-configuration from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-14893 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the [apache-xalan]( https://github.com/apache /xalan-j) gadget, a JNDI controller called JNDIConnectionPool can be used by an attacker to initiate connection with a malicious server and achieve remote code execution by loading arbitrary Java classes. For that the attacker will invoke the setJndiPath method to set the jndiPath to a path such as "ldap://127.0.0.1:1088/Exploit" and perform remote code execution by calling getConnection as detailed in this PoC of a similar vulnerability.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes apache-xalan in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove apache-xalan from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-9547 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig gadget in ibatis, the attacker can call lookup with an arbitrary location by calling setUserTransaction and setProperties with an arbitrary argument such as "ldap://127.0.0.1:1088/Exploit". This vulnerability allows the attacker to perform remote code execution as shown in this PoC.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes ibatis.sqlmap in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Deployment mitigations

Remove ibatis.sqlmap from your Java classpath with the help of this guide

[ CVE-2020-9548 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the br.com.anteros.dbcp.AnterosDBCPConfig gadget in anterosdbcp, the attacker can call lookup with an arbitrary location by calling setHealthCheckRegistry with an arbitrary argument such as "ldap://127.0.0.1:1088/Exploit". This vulnerability allows the attacker to perform remote code execution as demonstrated in this PoC.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes anterosdbcp in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove anterosdbcp from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-9546 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig gadget in Apache Hadoop , the attacker can call lookup with an arbitrary location by calling setHealthCheckRegistry with an arbitrary argument such as "ldap://127.0.0.1:1088/Exploit". This vulnerability allows the attacker to perform remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes apache.hadoop in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove apache.hadoop from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-8840 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the org.apache.xbean.propertyeditor.JndiConverter gadget in Apache XBean , the attacker can call lookup with an arbitrary location by calling toObjectImpl with an arbitrary argument like "ldap://127.0.0.1:1088/Exploit". This vulnerability allows the attacker to perform remote code execution as shown in this PoC.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes apache.xbean in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove apache.xbean from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-20330 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the net.sf.ehcache the attacker can call lookup with an arbitrary location by calling toObjectImpl with an arbitrary argument like "ldap://127.0.0.1:1088/Exploit". This vulnerability allows the attacker to perform remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes net.sf.ehcache in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Deployment mitigations

Remove net.sf.ehcache from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

[ CVE-2019-17531 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the apache-log4j-extra gadget, an attacker can create an arbitrary JNDI connection by invoking lookupDataSource or setJndiLocation , which allows for accessing a JNDI location with the servers privileges
which further allows code injection and then code execution. Additional information on exploitation of a similar gadget can be found here.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes apache-log4j-extra in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove apache-log4j-extra from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-17267 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup gadget in netf.sf.ehcache , one of the extended classes supports JNDI naming and allows calling lookup with an arbitrary location by calling JndiSelector with an arbitrary argument like "ldap://127.0.0.1:1088/Exploit" that enables attacker to perform remote code execution when executing lookupTransactionManager. This is demonstrated in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes net.sf.ehcache in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object

Remediation:

Deployment mitigations

Remove net.sf.ehcache from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-16942 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the commons-dbcp gadget, an attacker can create an arbitrary JDBC connection by invoking org.apache.commons.dbcp.datasources.SharedPoolDataSource or org.apache.commons.dbcp.datasources.PerUserPoolDataSource , which allows for arbitrary SQL execution through the JDBC connection which further allows code injection, since the H2 JDBC driver allows defining and executing custom SQL aliases containing Java code. Additional information on this gadget can be found here.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes p6spy in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove p6spy from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-16943 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the p6spy gadget, an attacker can create an arbitrary JDBC connection by invoking the com.p6spy.engine.spy.P6DataSource method, which allows for arbitrary SQL execution through the JDBC connection which further allows code injection, since the H2 JDBC driver allows defining and executing custom SQL aliases containing Java code. Additional information on this gadget can be found here.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes p6spy in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove p6spy from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-14540 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with com.zaxxer.hikari.HikariConfig gadget in zaxxer.hikari, the attacker can use this class to indirectly call getObjectOrPerformJndiLookup by calling setHealthCheckRegistry.
The method assuming that any healthCheckRegistry argument is trusted and later performs JNDI loading using it. The attacker can call this function with an arbitrary argument such as "ldap://127.0.0.1:1088/Exploit" which leads to remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes zaxxer.hikari in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove zaxxer.hikari from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-16335 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the com.zaxxer.hikari.HikariDataSource gadget in zaxxer.hikari , an attacker can use this class to indirectly call getObjectOrPerformJndiLookup by calling setHealthCheckRegistry which calls super.setHealthCheckRegistry.
The method assumes that any healthCheckRegistry argument is trusted and later performs JNDI loading. The attacker can call this function with an arbitrary argument like "ldap://127.0.0.1:1088/Exploit" which achieves remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes zaxxer.hikari in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove zaxxer.hikari from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-14379 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the net.sf.ehcache.hibernate.DefaultTransactionManagerLookup gadget in netf.sf.ehcache might allow remote code execution but this is nontrivial and has never been proven publicly, thus the real-world impact is uncertain.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes net.sf.ehcache in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove net.sf.ehcache from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-14718 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets -

org.slf4j.ext.EventData

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-14719 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets -

flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

🐸 JFrog Frogbot

buildguy · 2025-01-27T07:17:36Z

🔬 Research Details

[ CVE-2018-14720 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause data leakage when used as Java gadgets -

com.sun.deploy.security.ruleset.DRSHelper

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-14721 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the blocked gadget is org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl which can lead to SSRF when abused.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable Java service includes axis2-jaxws in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Remove axis2-jaxws from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-19360 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the blocked gadget is org.apache.axis2.transport.jms.JMSOutTransportInfo
which has an unspecified impact (no technical details about the issue have been published).

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes axis2-transport-jms in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove axis2-transport-jms from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-19361 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the blocked gadget is org.apache.openjpa.ee.RegistryManagedRuntime and org.apache.openjpa.ee.JNDIManagedRuntime
which have an unspecified impact (no technical details about the issue have been published).

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes openjpa in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove openjpa from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-19362 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the blocked gadget is org.jboss.util.propertyeditor.DocumentEditor
which has an unspecified impact (no technical details about the issue have been published).

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes jboss-common in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove jboss-common from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-7489 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets -

com.mchange.v2.c3p0.*

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

[ CVE-2017-15095 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets -

// JDK provided
java.util.logging.FileHandler
java.rmi.server.UnicastRemoteObject

// 3rd party
org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor
org.springframework.beans.factory.config.PropertyPathFactoryBean
com.mchange.v2.c3p0.JndiRefForwardingDataSource
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2017-17485 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets:

org.apache.tomcat.dbcp.dbcp2.BasicDataSource
com.sun.org.apache.bcel.internal.util.ClassLoader
AbstractApplicationContext

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

[ CVE-2017-7525 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets -

com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

[ CVE-2019-10172 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

[ CVE-2024-23945 ] org.apache.hive:hive-service 3.1.3000.7.1.9.0-387

Description:
Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation.

The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following:

org.apache.hive:hive-service
org.apache.spark:spark-hive-thriftserver_2.11
org.apache.spark:spark-hive-thriftserver_2.12

[ CVE-2019-10202 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

[ CVE-2020-11619 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the spring-aop gadget, an attacker can manipulate inner variables in org.springframework.aop.config.MethodLocatingFactoryBean and cause SSRF by invoking setBeanFactory and setMethodName.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes spring-aop in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove spring-aop from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-11620 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the commons-jelly gadget, an attacker can setup a Jelly script and then execute it by invoking setScript and execute, which leads to remote code execution.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes commons-jelly in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Deployment mitigations

Remove commons-jelly from your Java classpath with the help of this guide

[ CVE-2020-10673 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the caucho gadget, an attacker can set _lookupName with setLookupName and then invoke lookup with an attacker-controlled value by calling getValue.
With this, the attacker is able to load class and methods from an arbitrary location such as"ldap://127.0.0.1:1088/Exploit" and perform remote code execution, as detailed in this PoC.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes caucho in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove caucho from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-14439 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the ch.qos.logback.core.db.JNDIConnectionSource gadget in logback, the attacker can call lookup with an arbitrary location by
setting jndiLocation with an arbitrary argument like "ldap://127.0.0.1:1088/Exploit" and then execute it by calling getConnection. This vulnerability allows the attacker to perform remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes logback in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove logback from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-12086 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, because of missing com.mysql.cj.jdbc.admin.MiniAdmin in mysql-connector, the attacker can craft special JSON request and read arbitrary local files on the server.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes mysql-connector-java in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Deployment mitigations

Remove mysql-connector-java from your Java classpath with the help of this guide

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2018-5968 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets -

org.hibernate.jmx.StatisticsService
org.apache.ibatis.datasource.jndi.JndiDataSourceFactory

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2022-46751 ] org.apache.ivy:ivy 2.5.1

Description:
Apache Ivy is a popular dependency manager and a sub-project of Apache Ant, a popular build tool which it is often used in conjunction with. Although, it can also be used to build packages independently. Apache Ivy is also compatible with Apache Maven.

Ivy files are XML files, usually called ivy.xml, containing the description of the dependencies of a module, its published artifacts and its configurations.
"Apache Maven POMs" are XML files, usually called pom.xml, used by Apache Maven for project configuration.

SSRF is a web security issue where an attacker tricks a web application into making unintended requests to other servers, potentially leading to data leaks or unauthorized access.
XML external entity injection (XXE) is a security vulnerability that allows a threat actor to inject unsafe XML entities. This could be used to leak data, access restricted resources, disturb the system or to conduct an SSRF attack.
A supply chain attack infiltrates a target by exploiting vulnerabilities in its suppliers or partners.

When Ivy parses XML files - either its own configuration, Ivy files or Apache Maven POMs, it will allow downloading external document type definitions and expand any entity references contained therein when used, and thus leading to an XXE vulnerability.

Attacker can trigger the exploit by specifying use of an external entity in one of the mentioned XML files (given he finds a way to edit them). Such an example of external entity will be defining the XML DOCTYPE as external file/webpage. Reading Ivy parse results is not possible for an attacker, and so the vulnerability could be more useful for other attacks (other than data leakage), such as SSRF.

The vulnerability could also be triggered by a supply chain attack, meaning that the attacker can exploit the vulnerability by uploading his malicious repository with an exploit to a non-malicious repository to which he has access.

Example of malicious payload an attacker can add to an xml file:

       <!ENTITY bar SYSTEM "https://victim.com/">
]>```

</details>

<details>
<summary> <b>[ CVE-2022-40152 ] com.fasterxml.woodstox:woodstox-core 5.3.0</b> </summary>
<br>


**Description:**
[XStream](https://x-stream.github.io/) is a Java serialization library to serialize objects, mainly to and from XML but also from other supported formats such as JSON.

A stack exhaustion issue was discovered in XStream's [Woodstox](https://github.com/FasterXML/woodstox) dependency, in the `FullDTDReader` class, that can be triggered when unmarshaling crafted XML or JSON data.
This vulnerability is exploitable if XStream is used to unmarshal untrusted input, using the `fromXML` method.

The issue was discovered by OSS-fuzz, but currently no public exploit exists, which makes exploitation less likely.
The issue is currently unfixed and affects all versions of XStream, even when using the default safe whitelist that was introduced in version 1.4.18.

CVE-2022-40152 - CVE-2022-40156 are currently incorrectly attributed to XStream. These vulnerabilities lie in the [FasterXML Woodstox](https://github.com/FasterXML/woodstox) library (which is a dependency of XStream). Nevertheless, these vulnerabilities can be triggered directly from XStream's `fromXML` method.

**Remediation:**
##### Development mitigations

Wrap XStream's `fromXML` method with exception handling -
```java
try {
	XStream xstream = new XStream();
        Object obj = xstream.fromXML(untrustedXml);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2021-37136 ] io.netty:netty 3.10.6.Final

Description:
netty is a popular client/server framework which enables quick and easy development of network applications such as protocol servers and clients.

A vulnerability was found in netty's Bzip2 decoder - when using the netty library and accepting arbitrary data streams to decode, netty does not limit the stream in any way.
An attacker that can submit a big file to decompress, may cause memory exhaustion which will lead to denial of service on the netty daemon process and possibly other processes on the same machine.

Example code that can trigger the issue -

public static void main(String[] args) throws Exception {
    Bzip2Decoder decoder = new Bzip2Decoder(); // Create the decompressor
    final ByteBufAllocator allocator = new PooledByteBufAllocator(false);
    FileInputStream file = new FileInputStream("C:\\temp\\100GB.bz2"); // External input
    int inputChunks = 64 * 1024;
    ByteBuf buf = allocator.heapBuffer(inputChunks);
    ChannelHandlerContext ctx = new StubChannelHandlerContext(allocator);
    while (buf.writeBytes(file, buf.writableBytes()) >= 0) {
        System.out.println("Input: " + buf.capacity());
        decoder.channelRead(ctx, buf); // BUG, No internal resource release!
        buf = allocator.heapBuffer(inputChunks);
        decoder.channelReadComplete(ctx);
}

[ CVE-2021-37137 ] io.netty:netty 3.10.6.Final

Description:
netty is a popular client/server framework which enables quick and easy development of network applications such as protocol servers and clients.

A vulnerability was found in netty's Snappy decoder - when using the netty library and accepting arbitrary data streams to decode, netty does not limit the stream in any way.
An attacker that can submit a big file to decompress, may cause memory exhaustion which will lead to denial of service on the netty daemon process and possibly other processes on the same machine.

Example code that can trigger the issue -

public static void main(String[] args) throws Exception {
    SnappyFrameDecoder decoder = new SnappyFrameDecoder(); // Create the decompressor
    final ByteBufAllocator allocator = new PooledByteBufAllocator(false);
    FileInputStream file = new FileInputStream("C:\\temp\\100GB.snappy"); // External input
    int inputChunks = 64 * 1024;
    ByteBuf buf = allocator.heapBuffer(inputChunks);
    ChannelHandlerContext ctx = new StubChannelHandlerContext(allocator);
    while (buf.writeBytes(file, buf.writableBytes()) >= 0) {
        System.out.println("Input: " + buf.capacity());
        decoder.channelRead(ctx, buf); // BUG, No internal resource release!
        buf = allocator.heapBuffer(inputChunks);
        decoder.channelReadComplete(ctx);
}

[ CVE-2021-20190 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the blocked gadget is javax.swing.JTextPane which can lead to SSRF when abused. For example - mapper.readValue(payload="[\"javax.swing.JTextPane\",{\"page\":\"remoteaddr\"}], Object.class)

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes javax.swing in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove javax.swing from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

🐸 JFrog Frogbot

buildguy · 2025-01-27T07:17:37Z

🔬 Research Details

[ CVE-2020-36188 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the [newrelic] (https://github.com/newrelic/newrelic-java-agent) gadget, an attacker can set jndiLocation to load a malicious Java class from an arbitrary location such as ldap://127.0.0.1:1288/Exploit. This attack was demonstrated publicly in this PoC.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes newrelic in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove newrelic from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36189 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, in the com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource gadget in newrelic, the attacker can call lookup with arbitrary arguments by setting the JNDI URL with SetUrl and then executing it with getConnection. This vulnerability can lead to remote code execution as described in this PoC.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes newrelic.agent in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove newrelic.agent from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36183 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Xalan (aka embedded Xalan) gadget, a JNDI controller called JNDIConnectionPool can be used by an attacker to initiate connection with a malicious server and achieve remote code execution by load arbitrary Java classes . For that the attacker will invoke the setJndiPath method to set the jndiPath to a path such as "ldap://127.0.0.1:1088/Exploit" as detailed in this PoC.

Specifically, with the docx4j gadget, which contains an embedded Apache Xalan gadget, a JNDI controller called JNDIConnectionPool can be used by an attacker to initiate connection with a malicious server and achieve remote code execution by loading arbitrary Java classes. For that the attacker will invoke the setJndiPath method to set the jndiPath to a path similar to "ldap://127.0.0.1:1088/Exploit" as detailed in this PoC of a similar issue.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes docx4j in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object

Remediation:

Deployment mitigations

Remove docx4j from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36184 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Tomcat dbcp2 gadget, an attacker can create an arbitrary Pool connection to DB by invoking testCPDS in org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. The impact of creating such a Pool connection is unknown.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp2 in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove dbcp2 from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36185 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Tomcat dbcp gadget, an attacker can create an arbitrary Pool connection to DB by invoking testCPDS in org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. The impact of creating such a Pool connection is unknown.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp2 in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object

Remediation:

Deployment mitigations

Remove dbcp2 from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36186 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Tomcat dbcp gadget, an attacker can create an arbitrary Pool connection to DB by invoking testCPDS in org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. The impact of creating such a Pool connection is unknown.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object

Remediation:

Deployment mitigations

Remove dbcp from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36187 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Tomcat dbcp gadget, an attacker can create an arbitrary Pool connection to DB by invoking testCPDS in org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. The impact of creating such a Pool connection is unknown.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove dbcp from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36179 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the dbcp in commons-dbcp gadget, an attacker can call setUrl or control the content of the object, but the real-world impact from these primitives, in the general case, is unknown.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes commons-dbcp in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object

Remediation:

Deployment mitigations

Remove commons-dbcp from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36180 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the dbcp2 in commons-dbcp gadget, an attacker can call setUrl or control the content of the object, but the real-world impact from these primitives, in the general case, is unknown.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes commons-dbcp in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove commons-dbcp from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36181 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Tomcat dbcp gadget,
the attacker might control the DB connection URL but cannot initiate the connection on demand. The real-world impact from these primitives, in the general case, is unknown.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object

Remediation:

Deployment mitigations

Remove dbcp from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-36182 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Tomcat dbcp2 gadget,
the attacker might control the DB connection URL but cannot initiate the connection on demand. The real-world impact from these primitives, in the general case, is unknown.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp2 in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Deployment mitigations

Remove dbcp2 from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

[ CVE-2020-35490 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the dbcp2 gadget, an attacker can create an arbitrary Pool connection to a DB by invoking registerPool which will call testCPDS in org.apache.commons.dbcp.dbcp2.datasources. PerUserPoolDataSource . The impact from creating an arbitrary Pool connection is unknown.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp2 in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove dbcp2 from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-35491 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Xalan dbcp2 gadget, an attacker can create an arbitrary Pool connection to a DB by invoking testCPDS in org.apache.xalan.commons.dbcp2.datasources.SharedPoolDataSource. The impact from creating an arbitrary Pool connection is unknown.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes dbcp2 in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove dbcp2 from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-25649 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the setExpandEntityReferences(false) API call failed to prevent entity expansion and may be harmful to data integrity. The fix added two more settings to prevent data expansion:

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

[ CVE-2020-24750 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the pastdev.httpcomponents gadget, an attacker can
achieve remote code execution by creating a JndiConfiguration object and then calling the load method. This vulnerability allows the attacker to perform remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes pastdev.httpcomponents in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove `pastdev.httpcomponents`` from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-24616 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the pastdev.httpcomponents gadget, an attacker can
achieve remote code execution by creating a JndiConfiguration object and then calling the load method. This vulnerability allows the attacker to perform remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes Anteros-DBCP in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove `Anteros-DBCP`` from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-14195 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the org.jsecurity.realm.jndi.JndiRealmFactory gadget, an attacker can build a jndiRealm to use for attacking through similar class gadgets in JSecurity.
Therefore, this gadget alone is impactless, but can be used as part of a gadget chain.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes jsecurity in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove jsecurity from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

🐸 JFrog Frogbot

buildguy · 2025-01-27T07:17:38Z

🔬 Research Details

[ CVE-2020-14060 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the [apache-xalan]( https://github.com/apache /xalan-j) gadget, a JNDI controller called JNDIConnectionPool can be used by an attacker to initiate connection with a malicious server and achieve remote code execution by loading arbitrary Java classes. For that the attacker will invoke the setJndiPath method to set the jndiPath to something like "ldap://127.0.0.1:1088/Exploit" as detailed in this PoC of a similar issue.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes apache-xalan in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove apache-xalan from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-14061 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Oracle-aq-jms gadget, an attacker can pivot JMS to load arbitrary classes by invoking AQjmsQueueConnectionFactory class methods and achieving remote code execution.

When this library is included, an attacker can build a working exploit, and even automate this process by using ysoserial, a tool that finds gadgets and create payloads for vulnerable java deserializers.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes Oracle-aq-jms in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove Oracle-aq-jms from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2020-14062 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with the Apache Xalan (aka embedded Xalan) gadget, a JNDI controller called JNDIConnectionPool can be used by an attacker to initiate connection with a malicious server and achieve remote code execution by loading arbitrary Java classes . For that the attacker will invoke the setJndiPath method to set the jndiPath to something like "ldap://127.0.0.1:1088/Exploit". This vulnerability allows the attacker to perform remote code execution as shown in this PoC of an older issue by using marshalsec (see section "Build an environment").

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes apache-xalan in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

If possible, remove apache-xalan from your Java classpath with the help of this guide Or Avoid using java.lang.Object as the deserialized object type like this one: obj = mapper.readValue(content, java.lang.Object.java_class) Try to use deserialize to the specific object type you need. Also If possible, avoid enabling default typing (mapper.enableDefaultTyping()).

Deployment mitigations

If possible, remove apache-xalan from your Java classpath with the help of this guide Or Avoid using java.lang.Object as the deserialized object type like this one: obj = mapper.readValue(content, java.lang.Object.java_class) Try to use deserialize to the specific object type you need. Also If possible, avoid enabling default typing (mapper.enableDefaultTyping()).

[ CVE-2021-43797 ] io.netty:netty 3.10.6.Final

Description:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

[ CVE-2021-21409 ] io.netty:netty 3.10.6.Final

Description:
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

[ CVE-2021-21295 ] io.netty:netty 3.10.6.Final

Description:
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

[ CVE-2020-13955 ] org.apache.calcite:calcite-core 1.19.0.7.1.9.0-387

Description:
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.

[ CVE-2020-13955 ] org.apache.calcite:calcite-druid 1.19.0.7.1.9.0-387

Description:
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.

[ CVE-2019-12384 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, the following classes were found to be able to cause remote code execution when used as Java gadgets -

ch.qos.logback.core.db.DriverManagerConnectionSource

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes one of the above classes in its Java classpath
The service has polymorphic type handling enabled
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2019-12814 ] org.codehaus.jackson:jackson-mapper-asl 1.9.2

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
Jackson also supports deserialization of polymorphic types when default typing is enabled. This can be enabled by adding @JsonTypeInfo(use = Id.CLASS) according to your function to determine its type or by calling enableDefaultTyping() on your Objectmapper..
This identifier allows the ObjectMapper to accept type identifiers and interpret them as an object like so:

{ "phone" : {
 "@class" : "package.InternationalNumber",
 "areaCode" : 555,
 ...
 }
}

ObjectMapper can accept inputs from various of sources such as files, URL, JSON, web requests and many more, for example:

// Object from local JSON file
Phone p = ObjectMapper.readValue(new File("phone.json"), Phone.class);
Or
// Object from HTTP-hosted JSON file
Phone p = ObjectMapper.readValue(new URL("https://www.somedomain.com/src/test/json_car.json"), Phone.class);

Support for polymorphic type deserialization allows an attacker to create almost any class at the server-side, assuming an attacker-supplied JSON file is deserialized.
A vulnerable server-side handling of the serialized data may look like this:

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping()
obj = mapper.readValue(jsonContent, java.lang.Object.java_class)

The server-side creates the desired object by calling mapper.readValue(…) which will call all of its setters with the arguments supplied within the request.

To exploit this issue, an attacker has to find code modules or functions included in the Java classpath that aren’t blacklisted by Jackson-databind, that will allow the attacker to perform operations with some security impact (such as remote code injection) when chained together. These code modules are also known as gadgets.

Specifically, with JDOM gadget, the attacker can craft a special JSON request and lead to arbitrary read via unknown class inside JDOM plugin.

Exploitation requires:

Default typing enabled for external JSON endpoints
The vulnerable java service includes JDOM in its Java classpath
The service deserializes objects with nominal type of java.lang.Object.

Remediation:

Deployment mitigations

Remove JDOM from your Java classpath with the help of this guide

Development mitigations

Avoid using java.lang.Object as the deserialized object type. For example, a vulnerable usage would be - obj = mapper.readValue(content, java.lang.Object.java_class). Instead - try to deserialize to the specific object type that you need, instead of java.lang.Object

Development mitigations

Avoid enabling default typing (mapper.enableDefaultTyping())

[ CVE-2021-21290 ] io.netty:netty 3.10.6.Final

Description:
Netty is an asynchronous event-driven framework for developing client and server Java applications.

Netty's io.netty:netty-codec-http package offers multipart decoders (HttpPostMultipartRequestDecoder) for handling HTTP POST requests whose BODY data requires splitting the request to several requests, i.e. in case multiple files are uploaded or when mixed data types are uploaded.

In Netty prior to 4.1.77.Final, local information disclosure may occur when file uploads are stored on the disk, since they're created in the shared system temporary directory, using world-readable permissions. For files to be stored on the disk, the uploaded file size must exceed the minSize threshold, which can also be set upon object creation, and defaults to 16KB. Alternatively, files will be stored on the disk if the HttpDataFactory used by HttpPostMultipartRequestDecoder is initialized to always use the disk by setting the useDisk parameter to True.

This vulnerability's fix is incomplete. In order to completely fix the vulnerability, this CVE's patch must be applied together with CVE-2022-24823's patch.

Unix-based operating systems are affected, as well as older versions of macOS and Windows, which share a temporary directory between all users. Additionally, only Netty applications running on Java 6 or lower are affected. Since Java 6 is an extremely old version, this greatly reduces the amount of potentially vulnerable machines.

Remediation:

Deployment mitigations

Change the configured JVM's java.io.tmpdir to a directory which is not readable by all. For instance:

java -Djava.io.tmpdir=/tmp/private

Development mitigations

Use DefaultHttpDataFactory.setBaseDir to set the directory in which uploaded files are stored to one that isn't readable by all. For instance:

private static final HttpDataFactory factory = new DefaultHttpDataFactory();
factory.setBaseDir('/tmp/private');

[ CVE-2024-23454 ] org.apache.hadoop:hadoop-common 2.10.2

Description:
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content.
This is because, on unix-like systems, the system temporary directory is
shared between all local users. As such, files written in this directory,
without setting the correct posix permissions explicitly, may be viewable
by all other local users.

🐸 JFrog Frogbot

buildguy · 2025-01-27T07:17:48Z

❌ Build failed in 1h 8m 50s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
shims/cdpdc71/driver,shims/dataproc1421,shims/dataproc1421/driver,shims/emr700/driver,shims/hdi40/driver

❗ No tests found!

ℹ️ This is an automatic message

singletonc

Do we have some official approval of these critically vulnerable versions mentioned somewhere?

soagarwal1 · 2025-01-27T14:09:16Z

@singletonc @NJtwentyone Most of these vulnerabilities are false positives as we are not bringing these libraries in our builds, they are transitive dependencies and we have non-vulnerable versions in our jars.

NJtwentyone

#1548 (review)

author added the other shim/drivers. And from my understanding of offline conversation the org.apache.hive:hive-service will be addressed outside of this jira issue/pull request.

soagarwal1 requested a review from a team as a code owner January 23, 2025 07:02

This comment has been minimized.

Sign in to view

soagarwal1 marked this pull request as draft January 23, 2025 07:06

This comment has been minimized.

Sign in to view

soagarwal1 force-pushed the PPP-5541 branch from 980c433 to cf5ff08 Compare January 23, 2025 15:36

This comment has been minimized.

Sign in to view

soagarwal1 force-pushed the PPP-5541 branch from cf5ff08 to 0d8f8fb Compare January 24, 2025 08:29

This comment has been minimized.

Sign in to view

soagarwal1 force-pushed the PPP-5541 branch from 0d8f8fb to d532ae0 Compare January 24, 2025 11:06

This comment has been minimized.

Sign in to view

soagarwal1 marked this pull request as ready for review January 24, 2025 13:49

soagarwal1 requested review from rmansoor, NJtwentyone and singletonc January 24, 2025 13:49

soagarwal1 marked this pull request as draft January 24, 2025 14:37

NJtwentyone requested changes Jan 24, 2025

View reviewed changes

[PPP-5541] - Vulnerable Component: jackson-databind within htrace-cor…

ca1744c

…e-3.1.0-incubating.jar

soagarwal1 force-pushed the PPP-5541 branch from d532ae0 to ca1744c Compare January 27, 2025 06:08

soagarwal1 marked this pull request as ready for review January 27, 2025 06:49

singletonc approved these changes Jan 27, 2025

View reviewed changes

singletonc requested changes Jan 27, 2025

View reviewed changes

NJtwentyone approved these changes Jan 27, 2025

View reviewed changes

singletonc approved these changes Jan 27, 2025

View reviewed changes

singletonc merged commit 82d1c18 into pentaho:master Jan 27, 2025
1 of 2 checks passed

[PPP-5541] - Vulnerable Component: jackson-databind within htrace-core-3.1.0-incubating.jar #1548

[PPP-5541] - Vulnerable Component: jackson-databind within htrace-core-3.1.0-incubating.jar #1548

Conversation

soagarwal1 commented Jan 23, 2025

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

NJtwentyone left a comment • edited Loading

Choose a reason for hiding this comment

hitachivantarasonarqube bot commented Jan 27, 2025

Analysis Details

0 Issues

Coverage and Duplications

buildguy commented Jan 27, 2025

📦 Vulnerable Dependencies

✍️ Summary

buildguy commented Jan 27, 2025

🔬 Research Details

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Development mitigations

Development mitigations

Deployment mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Deployment mitigations

Development mitigations

Development mitigations

Development mitigations

Development mitigations

Development mitigations

Development mitigations

buildguy commented Jan 27, 2025

🔬 Research Details

Development mitigations

Development mitigations

Development mitigations

NJtwentyone left a comment •

edited

Loading