CVE-2020-8840 Overview
CVE-2020-8840 is an insecure deserialization vulnerability affecting FasterXML jackson-databind versions 2.0.0 through 2.9.10.2. The vulnerability stems from a lack of certain xbean-reflect/JNDI blocking mechanisms, specifically demonstrated through the org.apache.xbean.propertyeditor.JndiConverter class. When polymorphic type handling is enabled, attackers can craft malicious JSON payloads that leverage this gadget class to achieve remote code execution on vulnerable systems.
Critical Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on systems using affected jackson-databind versions with polymorphic deserialization enabled, potentially leading to complete system compromise.
Affected Products
- FasterXML jackson-databind 2.0.0 through 2.9.10.2
- Debian Linux 8.0
- NetApp OnCommand API Services
- NetApp OnCommand Workflow Automation
- NetApp Service Level Manager
- NetApp SteelStore Cloud Integrated Storage
- Huawei OceanStor 9000 Firmware (v300r006c20 through v300r006c20spc300)
- Oracle Global Lifecycle Management OPatch
Discovery Timeline
- 2020-02-10 - CVE-2020-8840 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-8840
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The core issue lies in jackson-databind's polymorphic type handling feature, which allows JSON payloads to specify the Java class to be instantiated during deserialization. While FasterXML maintains a blocklist of known dangerous "gadget" classes, this particular vulnerability exploits a gap in that blocklist—specifically the org.apache.xbean.propertyeditor.JndiConverter class from the Apache XBean library.
When a vulnerable application deserializes attacker-controlled JSON input, the malicious payload can instantiate the JndiConverter class and trigger a JNDI lookup to an attacker-controlled server. This JNDI injection technique allows attackers to load and execute arbitrary Java code, achieving remote code execution without authentication.
Root Cause
The root cause is an incomplete blocklist in jackson-databind's SubTypeValidator class. The library attempts to prevent deserialization of known dangerous classes by maintaining a deny list, but the org.apache.xbean.propertyeditor.JndiConverter class was not included in versions prior to the patch. This class can be abused to perform JNDI lookups, which in combination with malicious LDAP or RMI servers, enables remote code execution through Java object loading.
Attack Vector
The attack requires that the target application:
- Uses a vulnerable version of jackson-databind (2.0.0 through 2.9.10.2)
- Has polymorphic type handling enabled (via @JsonTypeInfo or default typing)
- Has the Apache XBean library (xbean-reflect) on the classpath
- Accepts and deserializes JSON input from untrusted sources
An attacker can send a specially crafted JSON payload containing the malicious class reference. Upon deserialization, the JndiConverter performs a lookup to an attacker-controlled JNDI server (typically LDAP or RMI), which returns a malicious Java object that gets instantiated and executed on the victim system. This attack pattern is commonly associated with JNDI injection attacks and requires no authentication when the application accepts external JSON input.
Detection Methods for CVE-2020-8840
Indicators of Compromise
- Unusual outbound LDAP (port 389/636) or RMI (port 1099) connections from application servers
- JSON requests containing references to org.apache.xbean.propertyeditor.JndiConverter in type identifiers
- Unexpected Java class loading or process spawning from application server processes
- Log entries showing deserialization exceptions related to blocked classes
Detection Strategies
- Deploy web application firewall (WAF) rules to detect JSON payloads containing known jackson-databind gadget class names including JndiConverter
- Monitor for outbound connections to external LDAP/RMI servers from internal application tiers
- Implement application-level logging for deserialization operations and review for suspicious class instantiation attempts
- Use software composition analysis (SCA) tools to identify applications using vulnerable jackson-databind versions
Monitoring Recommendations
- Enable verbose logging for jackson-databind deserialization operations to capture attempted exploits
- Configure network monitoring to alert on unexpected JNDI-related protocol traffic from application servers
- Establish baseline outbound connection patterns and alert on anomalies from Java application processes
- Review application dependencies regularly using automated vulnerability scanning
How to Mitigate CVE-2020-8840
Immediate Actions Required
- Upgrade jackson-databind to version 2.9.10.3 or later, which includes the fix for this vulnerability
- If immediate patching is not possible, disable polymorphic type handling or implement a strict allowlist of permitted classes
- Remove the xbean-reflect library from the classpath if it is not required by the application
- Implement network egress filtering to block outbound LDAP and RMI connections from application servers
Patch Information
FasterXML has released patched versions of jackson-databind that add org.apache.xbean.propertyeditor.JndiConverter to the blocklist. Users should upgrade to version 2.9.10.3 or later for the 2.9.x branch. For users on older branches, upgrade paths include version 2.8.11.6 for the 2.8.x series or version 2.10.3 for the 2.10.x series. Review the GitHub Jackson Databind Issue 2620 for detailed information about the fix.
Additionally, multiple vendors have released advisories and patches:
- Huawei Security Advisory for OceanStor 9000 firmware
- NetApp Security Advisory NTAP-20200327-0002 for affected NetApp products
- Oracle has included fixes in their April 2020 and October 2020 Critical Patch Updates
Workarounds
- Disable default typing in jackson-databind by avoiding ObjectMapper.enableDefaultTyping() or equivalent configurations
- Implement a custom TypeResolverBuilder with a strict allowlist of permitted classes for polymorphic deserialization
- Use the PolymorphicTypeValidator API (available in jackson-databind 2.10+) to explicitly define allowed base types and subtypes
- Apply network segmentation to prevent application servers from making outbound connections to untrusted JNDI servers
# Verify jackson-databind version in Maven projects
mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind
# Check for vulnerable versions in Gradle projects
./gradlew dependencies | grep jackson-databind
# Enforce minimum version in Maven pom.xml
# Add dependency management section to override transitive dependencies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
