CVE-2020-14195 Overview
CVE-2020-14195 is an insecure deserialization vulnerability in FasterXML jackson-databind 2.x before version 2.9.10.5. The vulnerability arises from improper handling of the interaction between serialization gadgets and typing, specifically related to the org.jsecurity.realm.jndi.JndiRealmFactory class (aka org.jsecurity). When polymorphic type handling is enabled, an attacker can exploit this gadget class to achieve remote code execution through JNDI injection attacks.
Critical Impact
Remote attackers can exploit this deserialization flaw to execute arbitrary code on vulnerable systems by crafting malicious JSON payloads that leverage the JndiRealmFactory gadget chain for JNDI-based attacks.
Affected Products
- FasterXML jackson-databind versions before 2.9.10.5
- NetApp Active IQ Unified Manager (Linux, Windows, VMware vSphere)
- NetApp SteelStore Cloud Integrated Storage
- Debian Linux 8.0
- Oracle Agile PLM 9.3.6
- Oracle Banking Digital Experience (versions 18.1 through 20.1)
- Oracle Communications Calendar Server 8.0.0.4.0
- Oracle Communications Contacts Server 8.0.0.5.0
- Oracle Communications Diameter Signaling Router
- Oracle Communications Element Manager
- Oracle Communications Evolved Communications Application Server 7.1
- Oracle Communications Instant Messaging Server 10.0.1.4.0
- Oracle Communications Session Report Manager
- Oracle Communications Session Route Manager
Discovery Timeline
- June 16, 2020 - CVE-2020-14195 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-14195
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). Jackson-databind's polymorphic type handling feature, when enabled via enableDefaultTyping() or through @JsonTypeInfo annotations, allows class type information to be embedded within JSON data. This feature, while powerful for handling inheritance hierarchies, becomes dangerous when processing untrusted input.
The org.jsecurity.realm.jndi.JndiRealmFactory class acts as a "gadget" that can be instantiated and manipulated during deserialization. When an attacker provides a specially crafted JSON payload containing this class reference, the deserialization process can trigger JNDI lookups to attacker-controlled servers. This JNDI injection vector can ultimately lead to remote code execution through techniques such as loading malicious classes from remote servers.
The attack requires network access and relies on specific application configurations where polymorphic deserialization is enabled without proper type filtering.
Root Cause
The root cause stems from jackson-databind's incomplete blocklist of dangerous gadget classes. While FasterXML has implemented a blocklist approach to prevent known dangerous classes from being deserialized, the org.jsecurity.realm.jndi.JndiRealmFactory class was not included in versions prior to 2.9.10.5. This class provides a JNDI-based attack surface that can be exploited when the jsecurity library is present in the application's classpath.
The fundamental issue is that jackson-databind must maintain an ever-growing blocklist of gadget classes, creating a reactive security posture where new dangerous classes are blocked only after discovery.
Attack Vector
The attack is network-based and requires the following conditions to be exploitable:
- The target application must use jackson-databind with polymorphic type handling enabled
- The jsecurity library (containing JndiRealmFactory) must be present in the classpath
- The attacker must be able to supply malicious JSON input to the application
An attacker crafts a JSON payload specifying org.jsecurity.realm.jndi.JndiRealmFactory as the type, with properties configured to trigger a JNDI lookup to an attacker-controlled LDAP or RMI server. When the application deserializes this payload, the JNDI lookup occurs, potentially loading and executing malicious code from the attacker's server.
For technical details on this vulnerability, refer to the GitHub Issue #2765 which documents the affected gadget class.
Detection Methods for CVE-2020-14195
Indicators of Compromise
- Outbound network connections to unexpected LDAP or RMI servers from Java applications
- JSON payloads in application logs containing org.jsecurity.realm.jndi.JndiRealmFactory class references
- Unusual class loading activity or runtime code execution from deserialization operations
- Application crashes or exceptions related to JNDI lookup failures during JSON processing
Detection Strategies
- Implement application-level logging to capture and analyze incoming JSON payloads for suspicious class type indicators
- Deploy network monitoring to detect outbound JNDI connections (LDAP port 389/636, RMI port 1099) from application servers
- Utilize static analysis tools to identify usage of enableDefaultTyping() or unsafe @JsonTypeInfo configurations in source code
- Configure Web Application Firewalls (WAF) to detect and block JSON payloads containing known gadget class patterns
Monitoring Recommendations
- Monitor Java process network activity for connections to unknown external LDAP/RMI endpoints
- Set up alerting for JSON deserialization exceptions that reference blocked or unknown class types
- Review application dependencies to identify presence of jsecurity library in the classpath
- Implement runtime application self-protection (RASP) to detect exploitation attempts in real-time
How to Mitigate CVE-2020-14195
Immediate Actions Required
- Upgrade jackson-databind to version 2.9.10.5 or later immediately
- Audit application code for usage of ObjectMapper.enableDefaultTyping() and disable if not strictly required
- If polymorphic deserialization is necessary, migrate to ObjectMapper.activateDefaultTyping() with a PolymorphicTypeValidator that explicitly whitelists safe classes
- Remove the jsecurity library from classpath if not actively used
- Review and apply patches from vendor security advisories including Oracle CPU October 2020 and subsequent updates
Patch Information
FasterXML addressed this vulnerability by adding org.jsecurity.realm.jndi.JndiRealmFactory to the blocklist of dangerous gadget classes in jackson-databind version 2.9.10.5. Multiple downstream vendors have also released patches:
- Debian: Security update available via Debian LTS Announcement
- NetApp: Security advisory available at NetApp Security Advisory
- Oracle: Patches included in Critical Patch Updates from October 2020 through October 2021
Workarounds
- Disable polymorphic type handling entirely by removing enableDefaultTyping() calls if your application architecture permits
- Implement a custom PolymorphicTypeValidator that uses an explicit allowlist of permitted classes rather than relying on the default blocklist approach
- Deploy network egress controls to block outbound JNDI-related protocols (LDAP, RMI) from application servers to untrusted destinations
- Use Java security manager policies or module system restrictions to limit JNDI functionality at the JVM level
# Verify jackson-databind version in Maven projects
mvn dependency:tree | grep jackson-databind
# Update jackson-databind in pom.xml to patched version
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-databind</artifactId>
# <version>2.9.10.5</version>
# </dependency>
# For Gradle projects, check dependencies
gradle dependencies | grep jackson-databind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
