CVE-2020-14062 Overview
CVE-2020-14062 is an insecure deserialization vulnerability in FasterXML jackson-databind 2.x before version 2.9.10.5. The vulnerability stems from improper handling of the interaction between serialization gadgets and polymorphic typing, specifically related to the com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool class (also known as xalan2). This flaw allows attackers to craft malicious JSON payloads that, when deserialized by vulnerable applications, can lead to remote code execution.
Critical Impact
Attackers can exploit this deserialization vulnerability to achieve remote code execution on systems running vulnerable jackson-databind versions when polymorphic type handling is enabled and the xalan2 library is present in the classpath.
Affected Products
- FasterXML jackson-databind versions prior to 2.9.10.5
- NetApp Active IQ Unified Manager (Linux, Windows, VMware vSphere)
- NetApp SteelStore Cloud Integrated Storage
- Debian Linux 8.0
- Oracle Agile PLM 9.3.6
- Oracle Banking Digital Experience 18.1, 18.2, 18.3, 19.1, 19.2, 20.1
- Oracle Communications Calendar Server 8.0.0.4.0
- Oracle Communications Contacts Server 8.0.0.5.0
- Oracle Communications Diameter Signaling Router
- Oracle Communications Element Manager
- Oracle Communications Evolved Communications Application Server 7.1
- Oracle Communications Session Report Manager
- Oracle Communications Session Route Manager
Discovery Timeline
- June 14, 2020 - CVE-2020-14062 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-14062
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The flaw exists in how jackson-databind processes polymorphic deserialization when default typing is enabled. The com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool class serves as a gadget that can be exploited during the deserialization process.
When an application using jackson-databind deserializes untrusted JSON input with polymorphic type handling enabled, an attacker can inject a specially crafted payload that references the vulnerable xalan2 class. This class interacts with JNDI (Java Naming and Directory Interface), which can be manipulated to load arbitrary objects from remote servers, ultimately leading to code execution.
The attack requires network access but does not require authentication or user interaction. The complexity is considered higher due to the need for specific conditions to be met, including the presence of the xalan2 library in the application's classpath and polymorphic typing being enabled.
Root Cause
The root cause lies in jackson-databind's polymorphic type handling feature, which allows JSON to specify the class type for deserialization. Without proper blocklisting of dangerous classes, attackers can specify gadget classes like JNDIConnectionPool that perform dangerous operations during instantiation or through setter methods. The JNDIConnectionPool class, when instantiated with attacker-controlled parameters, can be coerced into making JNDI lookups to malicious servers, enabling remote class loading and code execution.
Attack Vector
The attack is conducted over the network by sending a malicious JSON payload to an application endpoint that deserializes JSON using a vulnerable jackson-databind configuration. The attacker crafts JSON that specifies the com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool as the type to instantiate, along with parameters that cause the class to perform a JNDI lookup to an attacker-controlled server. This server responds with a malicious Java object that executes arbitrary code when loaded.
The exploitation mechanism involves:
- The attacker identifies an application using vulnerable jackson-databind with polymorphic typing enabled
- A malicious JSON payload is crafted containing the xalan2 gadget class reference
- The payload includes a JNDI URL pointing to an attacker-controlled LDAP or RMI server
- When deserialized, jackson-databind instantiates the gadget class and triggers the JNDI lookup
- The malicious server responds with a serialized Java object containing exploit code
- The vulnerable application loads and executes the malicious code
Detection Methods for CVE-2020-14062
Indicators of Compromise
- Unexpected outbound JNDI/LDAP/RMI connections from Java applications to external servers
- JSON payloads containing references to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool in application logs
- Anomalous class loading activity in Java applications processing JSON input
- Network traffic to suspicious LDAP servers on non-standard ports
Detection Strategies
- Monitor application logs for deserialization errors or unexpected class instantiation attempts involving xalan2 classes
- Implement network monitoring to detect outbound JNDI lookups to untrusted destinations
- Deploy application-level JSON input validation to reject payloads containing suspicious type hints
- Utilize runtime application self-protection (RASP) tools to detect and block deserialization attacks
Monitoring Recommendations
- Enable verbose logging for jackson-databind operations to capture deserialization attempts
- Configure network egress filtering to restrict outbound LDAP/RMI connections from application servers
- Implement alerting on any attempts to instantiate blocklisted gadget classes
- Conduct regular dependency scanning to identify vulnerable jackson-databind versions in your environment
How to Mitigate CVE-2020-14062
Immediate Actions Required
- Upgrade jackson-databind to version 2.9.10.5 or later immediately
- If immediate patching is not possible, disable polymorphic type handling (default typing) in jackson-databind configuration
- Audit applications for use of ObjectMapper.enableDefaultTyping() or @JsonTypeInfo annotations with untrusted input
- Review and restrict the classpath to remove unnecessary gadget classes like xalan2 where possible
Patch Information
FasterXML has addressed this vulnerability in jackson-databind version 2.9.10.5 by adding com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool to the blocklist of classes that cannot be deserialized when polymorphic typing is enabled. Organizations should upgrade to this version or later. Additional security advisories have been published by NetApp and Oracle through multiple Critical Patch Updates. For detailed information, refer to the GitHub Issue #2704.
Workarounds
- Disable default typing entirely using ObjectMapper.disableDefaultTyping() if not required by your application
- Implement a custom type validator using ObjectMapper.setDefaultTyping() with an explicit whitelist of allowed classes
- Use PolymorphicTypeValidator (available in jackson-databind 2.10+) to restrict which classes can be deserialized
- Deploy network-level controls to block outbound JNDI connections from application servers
# Example: Verify jackson-databind version in Maven projects
mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind
# Update pom.xml to use patched version
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-databind</artifactId>
# <version>2.9.10.5</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
