CVE-2020-24616 Overview
FasterXML jackson-databind 2.x before 2.9.10.6 contains an insecure deserialization vulnerability that mishandles the interaction between serialization gadgets and typing. This vulnerability is related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP), which can be exploited when polymorphic type handling is enabled. Attackers can leverage this gadget class to achieve remote code execution on vulnerable systems by crafting malicious JSON input that triggers arbitrary code execution during deserialization.
Critical Impact
This vulnerability enables remote code execution through unsafe deserialization when polymorphic typing features are enabled, potentially allowing attackers to gain complete control over affected systems.
Affected Products
- FasterXML jackson-databind (versions before 2.9.10.6)
- NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)
- Oracle Agile PLM 9.3.6
- Oracle Application Testing Suite 13.3.0.1
- Oracle AutoVue for Agile Product Lifecycle Management 21.0.2
- Oracle Banking Liquidity Management 14.2, 14.3, 14.5
- Oracle Banking Supply Chain Finance 14.2, 14.3, 14.5
- Oracle Blockchain Platform
- Oracle Communications Calendar Server 8.0
- Oracle Communications Cloud Native Core Unified Data Repository 1.4.0
- Oracle Communications Contacts Server 8.0
- Oracle Communications Diameter Signaling Router
- Oracle Communications Element Manager
- Oracle Communications Evolved Communications Application Server 7.1
- Oracle Communications Instant Messaging Server 10.0.1.5.0
- Oracle Communications Messaging Server 8.1
- Oracle Communications Offline Mediation Controller 12.0.0.3
- Oracle Communications Policy Management 12.5.0
- Oracle Communications Pricing Design Center 12.0.0.4.0
- Oracle Communications Services Gatekeeper 7.0
- Oracle Communications Session Report Manager
- Oracle Communications Unified Inventory Management 7.4.1
- Oracle Identity Manager Connector 11.1.1.5.0
- Oracle Siebel UI Framework
- Debian Linux 9.0
Discovery Timeline
- August 25, 2020 - CVE-2020-24616 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-24616
Vulnerability Analysis
This vulnerability exists in FasterXML jackson-databind's polymorphic type handling mechanism. When applications enable default typing or use @JsonTypeInfo annotations with unsafe configurations, the library permits deserialization of arbitrary Java classes specified in incoming JSON data. The AnterosDBCPDataSource class from the Anteros-DBCP library acts as a "gadget" that can be weaponized during deserialization to execute arbitrary code.
The vulnerability is exploitable over the network without requiring user interaction, though successful exploitation depends on certain conditions being met, including the presence of the Anteros-DBCP library in the application's classpath and enabled polymorphic type handling. When exploited, attackers can achieve full compromise of confidentiality, integrity, and availability of the target system.
Root Cause
The root cause is CWE-502: Deserialization of Untrusted Data. Jackson-databind's default typing feature allows class type information to be embedded within JSON payloads. When enabled, the library instantiates objects based on the class names provided in the input, without adequately restricting which classes can be deserialized. The Anteros-DBCP AnterosDBCPDataSource class contains functionality that, when instantiated with attacker-controlled properties, leads to arbitrary code execution through JNDI lookup mechanisms or other dangerous operations.
Attack Vector
The attack is conducted over the network by sending a specially crafted JSON payload to an application that uses a vulnerable version of jackson-databind with polymorphic type handling enabled. The malicious JSON contains a reference to the br.com.anteros.dbcp.AnterosDBCPDataSource class along with properties that trigger code execution during deserialization.
The attacker's payload specifies the gadget class as the type to deserialize, along with configuration properties that can initiate outbound connections to attacker-controlled servers (such as JNDI/LDAP lookups) that serve malicious class files, ultimately achieving remote code execution on the vulnerable server.
Detection Methods for CVE-2020-24616
Indicators of Compromise
- Presence of JSON payloads containing br.com.anteros.dbcp.AnterosDBCPDataSource class references in application logs or network traffic
- Unexpected JNDI or LDAP lookup requests originating from application servers
- Unusual outbound network connections from Java applications to unknown external hosts
- Application errors or exceptions related to jackson-databind deserialization failures with suspicious class names
Detection Strategies
- Implement application-level logging to capture incoming JSON payloads and flag those containing known gadget class names
- Deploy network intrusion detection rules to identify JSON payloads with suspicious polymorphic type indicators
- Use static analysis tools to identify applications with vulnerable jackson-databind versions and enabled polymorphic typing
- Monitor for JNDI lookup patterns in network traffic that may indicate exploitation attempts
Monitoring Recommendations
- Configure SIEM rules to alert on deserialization-related exceptions containing known gadget class names
- Implement application performance monitoring to detect unusual serialization/deserialization activity patterns
- Monitor outbound network connections from Java application servers for unexpected LDAP or RMI protocol traffic
- Establish baseline behavior for JSON processing and alert on anomalies
How to Mitigate CVE-2020-24616
Immediate Actions Required
- Upgrade FasterXML jackson-databind to version 2.9.10.6 or later immediately
- If immediate patching is not possible, disable polymorphic type handling (default typing) in jackson-databind configurations
- Review application code to identify and remove unnecessary use of @JsonTypeInfo annotations with unsafe settings
- Add AnterosDBCPDataSource and related classes to jackson-databind's deny list if using a version that supports it
Patch Information
The vulnerability is fixed in FasterXML jackson-databind version 2.9.10.6 and later. Organizations should upgrade to the latest stable version to ensure protection against this and related gadget-based deserialization vulnerabilities. Oracle has addressed this vulnerability in multiple Critical Patch Updates including January 2021, April 2021, July 2021, October 2021, January 2022, and April 2022. For detailed information, refer to the GitHub Issue #2814 and the NetApp Security Advisory.
Workarounds
- Disable default typing globally by avoiding ObjectMapper.enableDefaultTyping() or similar configurations
- Implement strict class whitelisting using PolymorphicTypeValidator to restrict which classes can be deserialized
- Remove the Anteros-DBCP library from the application classpath if it is not required
- Deploy Web Application Firewalls (WAF) with rules to block JSON payloads containing known gadget class names
# Maven dependency update example
# Update jackson-databind in pom.xml to patched version
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-databind</artifactId>
# <version>2.9.10.6</version>
# </dependency>
# Verify current jackson-databind version in Maven project
mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
