CVE-2020-11619 Overview
FasterXML jackson-databind 2.x before version 2.9.10.4 contains an insecure deserialization vulnerability that mishandles the interaction between serialization gadgets and typing. This vulnerability is specifically related to the org.springframework.aop.config.MethodLocatingFactoryBean class (spring-aop), which can be abused as a deserialization gadget when polymorphic type handling is enabled.
When an application uses jackson-databind with default typing enabled, an attacker can craft malicious JSON payloads that exploit the spring-aop gadget chain. Successful exploitation could allow remote attackers to execute arbitrary code on vulnerable systems, potentially leading to complete system compromise.
Critical Impact
Remote code execution through insecure deserialization in jackson-databind when processing untrusted JSON input with polymorphic type handling enabled.
Affected Products
- FasterXML jackson-databind versions 2.x before 2.9.10.4
- Debian Linux 8.0
- NetApp Active IQ Unified Manager (Linux, Windows, VMware vSphere)
- NetApp SteelStore Cloud Integrated Storage
- Oracle Agile PLM 9.3.6
- Oracle Banking Platform
- Oracle Communications Calendar Server 8.0.0.4.0
- Oracle Communications Contacts Server 8.0.0.4.0 and 8.0.0.5.0
- Oracle Communications Diameter Signaling Router
- Oracle Communications Evolved Communications Application Server 7.1
- Oracle Communications Instant Messaging Server 10.0.1.4.0
- Oracle Communications Network Charging and Control
- Oracle Enterprise Manager Base Platform 13.3.0.0 and 13.4.0.0
- Oracle Global Lifecycle Management OPatch
- Oracle JD Edwards EnterpriseOne Orchestrator
- Oracle JD Edwards EnterpriseOne Tools
- Oracle Primavera Unifier (multiple versions including 16.1, 16.2, 18.8, 19.12)
- Oracle Retail Merchandising System 15.0
- Oracle Retail Sales Audit 14.1
- Oracle Retail Xstore Point of Service (versions 15.0 through 19.0)
- Oracle WebLogic Server 12.2.1.3.0 and 12.2.1.4.0
Discovery Timeline
- April 7, 2020 - CVE-2020-11619 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-11619
Vulnerability Analysis
This vulnerability belongs to a class of insecure deserialization flaws that have repeatedly affected jackson-databind. The core issue stems from how jackson-databind handles polymorphic type deserialization when combined with certain "gadget" classes present in application classpaths.
When polymorphic type handling is enabled (via enableDefaultTyping() or @JsonTypeInfo annotations), jackson-databind includes type information in the serialized JSON. During deserialization, the library instantiates objects based on these type hints. If an attacker controls the input JSON, they can specify arbitrary class names that jackson-databind will attempt to instantiate.
The org.springframework.aop.config.MethodLocatingFactoryBean class from spring-aop provides a viable gadget that attackers can leverage to achieve remote code execution. This class, when combined with other Spring components commonly found in enterprise Java applications, creates an exploitable chain.
Root Cause
The root cause is insufficient validation of class types during polymorphic deserialization. Jackson-databind maintains a blocklist of known dangerous classes, but this blocklist must be continuously updated as new gadget chains are discovered. CVE-2020-11619 represents a bypass of existing protections through the newly identified MethodLocatingFactoryBean gadget class.
The vulnerability exists because:
- Polymorphic type handling allows untrusted input to specify class types
- The spring-aop MethodLocatingFactoryBean class was not included in the gadget blocklist
- Applications with spring-aop on the classpath and default typing enabled become vulnerable
Attack Vector
The attack requires the following conditions:
- The target application uses a vulnerable version of jackson-databind
- Polymorphic type handling is enabled (default typing or @JsonTypeInfo)
- The spring-aop library is present on the application's classpath
- The application processes attacker-controlled JSON input
An attacker crafts malicious JSON that specifies org.springframework.aop.config.MethodLocatingFactoryBean as the type to instantiate, along with properties that lead to code execution during the deserialization process. When the vulnerable application parses this JSON, it triggers the gadget chain resulting in arbitrary code execution with the privileges of the application.
Detection Methods for CVE-2020-11619
Indicators of Compromise
- Unusual JSON payloads containing @class or @type fields with org.springframework.aop.config.MethodLocatingFactoryBean
- Unexpected process spawning from Java application processes
- Network connections to suspicious external hosts initiated by the Java process
- Error logs containing deserialization exceptions referencing spring-aop classes
Detection Strategies
- Implement application-level logging for all deserialization operations and monitor for unusual class instantiation
- Use Web Application Firewalls (WAF) with rules to detect known jackson-databind gadget class names in JSON payloads
- Deploy runtime application self-protection (RASP) solutions to monitor deserialization behavior
- Conduct regular dependency scanning to identify vulnerable jackson-databind versions in your software inventory
Monitoring Recommendations
- Enable verbose logging for jackson-databind operations in development and staging environments
- Monitor application memory usage for unusual patterns that may indicate deserialization attacks
- Track outbound network connections from Java applications to detect potential command-and-control communication
- Implement centralized log aggregation to correlate potential attack indicators across multiple systems
How to Mitigate CVE-2020-11619
Immediate Actions Required
- Upgrade jackson-databind to version 2.9.10.4 or later immediately
- If immediate patching is not possible, disable polymorphic type handling by removing enableDefaultTyping() calls
- Implement explicit type validation using PolymorphicTypeValidator to restrict allowed classes
- Remove spring-aop from the classpath if it is not required by the application
Patch Information
FasterXML has released jackson-databind version 2.9.10.4 which adds org.springframework.aop.config.MethodLocatingFactoryBean to the blocklist of classes that cannot be deserialized polymorphically. For more details, see the GitHub Issue Discussion.
Multiple vendors have released patches incorporating the fixed jackson-databind version:
- Oracle Critical Patch Update July 2020
- Oracle Critical Patch Update October 2020
- Oracle Critical Patch Update January 2021
- NetApp Security Advisory
- Debian LTS Announcement
Workarounds
- Disable default typing entirely if polymorphic deserialization is not required for business functionality
- Use ObjectMapper.activateDefaultTyping() with a custom PolymorphicTypeValidator to whitelist only required classes
- Apply application-level input validation to reject JSON containing unexpected type indicators
- Consider using the jackson-databind blacklist feature to manually add suspicious classes if upgrading is delayed
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-databind</artifactId>
# <version>2.9.10.4</version>
# </dependency>
# Gradle dependency update:
# implementation 'com.fasterxml.jackson.core:jackson-databind:2.9.10.4'
# Verify current jackson-databind version in your project:
mvn dependency:tree | grep jackson-databind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
