HelpSystems Acquires Beyond Security to Continue Expansion of Cybersecurity Portfolio.   READ THE PRESS RELEASE
Beyond Security Blog

Jackson Deserialization of Untrusted Data Vulnerability

Summary

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known “deserialization gadgets”.

Credit:

The information has been provided by Srikanth Ramu

The original article can be found at:https://tanzu.vmware.com/security/cve-2020-5411

Details

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known “deserialization gadgets”. Spring Batch configures Jackson with global default typing enabled which means that through the previous exploit, arbitrary code could be executed if all of the following is true: * Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext. * A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). In order to protect against this type of attack, Jackson prevents a set of untrusted gadget classes from being deserialized. Spring Batch should be proactive against blocking unknown “deserialization gadgets” when enabling default typing.

Vulnerable Systems:

Jackson 

CVE Information:

CVE-2020-5411

Disclosure Timeline:
Published Date:6/11/2020

SecuriTeam

SecuriTeam is a small group within Beyond Security dedicated to bringing you the latest news and utilities in computer security.

Please visit our central security portal at securiteam.com to keep up-to-date with the latest security research and read our archives containing over 10,000 articles about CVEs and zero-day exploits.

Contact Us

Want to learn more? Fill out the form below and we'll be in touch shortly.

Marketing by
By clicking Submit, I agree to the use of my personal data in accordance with the Beyond Security Privacy Policy. Beyond Security will not sell, trade, lease, or rent your personal data to third parties.

Reviews