CVE-2020-10673 Overview
FasterXML jackson-databind 2.x before version 2.9.10.4 contains an insecure deserialization vulnerability that mishandles the interaction between serialization gadgets and typing. This vulnerability is specifically related to com.caucho.config.types.ResourceRef (also known as caucho-quercus), which can be exploited when polymorphic type handling is enabled in applications using jackson-databind.
The vulnerability allows remote attackers to achieve remote code execution or other malicious outcomes by sending specially crafted JSON input to applications that deserialize untrusted data using vulnerable jackson-databind configurations.
Critical Impact
Remote code execution possible through deserialization of malicious JSON payloads when polymorphic type handling is enabled, affecting numerous enterprise applications across Oracle, NetApp, and Debian ecosystems.
Affected Products
- FasterXML jackson-databind (versions 2.x before 2.9.10.4)
- Debian Linux 8.0
- NetApp SteelStore Cloud Integrated Storage
- Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0)
- Oracle Communications Suite (Calendar Server, Contacts Server, Instant Messaging Server)
- Oracle Banking Digital Experience (versions 18.1 through 20.1)
- Oracle Primavera Unifier (versions 16.1, 16.2, 18.8, 19.12)
- Oracle Retail XStore Point of Service (versions 15.0 through 19.0)
- Oracle Enterprise Manager Base Platform (13.3.0.0, 13.4.0.0)
Discovery Timeline
- 2020-03-18 - CVE-2020-10673 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-10673
Vulnerability Analysis
This vulnerability belongs to a class of jackson-databind deserialization issues that exploit polymorphic type handling features. When an application enables default typing or uses @JsonTypeInfo annotations with unsafe configurations, attackers can inject arbitrary class instantiation requests through specially crafted JSON payloads.
The specific gadget chain involves com.caucho.config.types.ResourceRef from the Caucho Quercus library. This class, when deserialized, can be manipulated to perform JNDI lookups or execute other dangerous operations that lead to remote code execution.
The attack requires that the vulnerable caucho-quercus library is present on the classpath alongside the vulnerable jackson-databind version, and that the application processes untrusted JSON data with polymorphic deserialization enabled.
Root Cause
The root cause is insufficient validation of class types during polymorphic deserialization in jackson-databind. The library failed to include com.caucho.config.types.ResourceRef in its blocklist of dangerous gadget classes, allowing attackers to specify this class as a deserialization target.
Jackson-databind's polymorphic type handling allows JSON to specify which Java class should be instantiated during deserialization. Without proper restrictions, attackers can abuse this feature to instantiate dangerous classes that perform malicious actions during object construction or property setting.
Attack Vector
The attack is network-based and requires user interaction in the form of processing attacker-controlled JSON data. An attacker must craft a JSON payload that:
- Specifies com.caucho.config.types.ResourceRef as the target class for deserialization
- Includes properties that trigger malicious behavior when the object is instantiated
- Is processed by an application with polymorphic type handling enabled
The exploitation scenario typically involves applications that accept JSON input from untrusted sources and deserialize it using ObjectMapper with default typing or similar configurations enabled. The attacker submits malicious JSON containing the gadget class reference, and upon deserialization, the gadget chain executes arbitrary code or performs other malicious actions.
For detailed technical analysis and exploitation mechanics, refer to GitHub Issue #2660 and the Medium Analysis on Jackson CVEs.
Detection Methods for CVE-2020-10673
Indicators of Compromise
- Incoming JSON payloads containing class type identifiers referencing com.caucho.config.types.ResourceRef
- Unusual JNDI lookup attempts or outbound connections following JSON processing
- Application logs showing deserialization errors or unexpected class instantiation attempts
- Stack traces containing references to Caucho Quercus classes in unexpected contexts
Detection Strategies
- Implement application-level logging to capture incoming JSON payloads and flag those containing suspicious type identifiers
- Deploy network intrusion detection rules to identify JSON traffic containing known jackson-databind gadget class names
- Monitor application behavior for signs of JNDI injection or unexpected outbound network connections
- Use Software Composition Analysis (SCA) tools to identify vulnerable jackson-databind versions in your codebase
Monitoring Recommendations
- Enable detailed logging for JSON deserialization operations in production environments
- Set up alerts for any deserialization exceptions or errors that may indicate exploitation attempts
- Monitor for unusual process spawning or network activity from Java applications processing JSON data
- Regularly audit application dependencies to detect vulnerable library versions
How to Mitigate CVE-2020-10673
Immediate Actions Required
- Upgrade jackson-databind to version 2.9.10.4 or later immediately
- Audit applications for usage of polymorphic type handling (enableDefaultTyping() or @JsonTypeInfo)
- If upgrading is not immediately possible, disable default typing or implement explicit type validation
- Review and restrict classpaths to remove unnecessary gadget libraries like caucho-quercus
Patch Information
FasterXML addressed this vulnerability by adding com.caucho.config.types.ResourceRef to the blocklist of dangerous gadget classes. The fix is included in jackson-databind version 2.9.10.4 and all subsequent releases. Organizations should upgrade to the latest stable version of jackson-databind to receive this fix along with protections against other known gadget chains.
For Oracle products, refer to the Oracle Security Alert July 2020, Oracle Security Alert October 2020, Oracle Security Alert January 2021, and Oracle Security Alert October 2021 for product-specific patching information.
Debian users should refer to the Debian LTS Announcement for package updates. NetApp users should consult the NetApp Security Advisory.
Workarounds
- Disable polymorphic type handling entirely by avoiding ObjectMapper.enableDefaultTyping() calls
- Use ObjectMapper.activateDefaultTyping() with explicit PolymorphicTypeValidator to whitelist allowed classes
- Remove the caucho-quercus library from application classpaths if it is not required
- Implement input validation to reject JSON containing unexpected type identifiers before deserialization
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-databind</artifactId>
# <version>2.9.10.4</version>
# </dependency>
# Verify current jackson-databind version in Maven project
mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind
# For Gradle projects, update build.gradle:
# implementation 'com.fasterxml.jackson.core:jackson-databind:2.9.10.4'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
