CVE-2020-9547 Overview
CVE-2020-9547 is a critical insecure deserialization vulnerability in FasterXML jackson-databind 2.x versions prior to 2.9.10.4. The vulnerability stems from improper handling of the interaction between serialization gadgets and polymorphic typing, specifically related to the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class (also known as ibatis-sqlmap). When polymorphic type handling is enabled, an attacker can craft malicious JSON payloads that leverage this gadget class to achieve remote code execution on vulnerable systems.
This vulnerability is part of a series of jackson-databind deserialization issues that have affected numerous enterprise applications and frameworks. The widespread use of jackson-databind as a JSON processing library in Java applications makes this vulnerability particularly impactful across enterprise environments.
Critical Impact
Remote code execution possible through crafted JSON payloads when polymorphic deserialization is enabled; affects numerous Oracle, NetApp, and other enterprise products
Affected Products
- FasterXML jackson-databind 2.x before 2.9.10.4
- NetApp Active IQ Unified Manager (Linux, Windows, VMware vSphere)
- Debian Linux 8.0
- Oracle AutoVue for Agile Product Lifecycle Management 21.0.2
- Oracle Banking Platform
- Oracle Communications Contacts Server 8.0.0.4.0
- Oracle Communications Evolved Communications Application Server 7.1
- Oracle Communications Instant Messaging Server 10.0.1.4.0
- Oracle Communications Network Charging and Control
- Oracle Enterprise Manager Base Platform 13.3.0.0, 13.4.0.0
- Oracle Global Lifecycle Management OPatch
- Oracle JD Edwards EnterpriseOne Orchestrator
- Oracle JD Edwards EnterpriseOne Tools
- Oracle Primavera Unifier (16.1, 16.2, 18.8, 19.12)
- Oracle Retail XStore Point of Service (15.0, 16.0, 17.0, 18.0, 19.0)
- Oracle WebLogic Server 12.2.1.3.0, 12.2.1.4.0
Discovery Timeline
- 2020-03-02 - CVE-2020-9547 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-9547
Vulnerability Analysis
The vulnerability exists in jackson-databind's polymorphic type handling mechanism, commonly enabled through @JsonTypeInfo annotations or global default typing configurations. When these features are enabled, jackson-databind attempts to instantiate classes based on type information embedded in the JSON input. The com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class from the ibatis-sqlmap library serves as a "gadget" that can be exploited during deserialization.
The ibatis-sqlmap gadget class contains methods that are automatically invoked during the deserialization process. These methods can be manipulated through carefully crafted JSON input to perform arbitrary operations, including JNDI lookups that can lead to remote code execution. This attack pattern is similar to other jackson-databind gadget chain vulnerabilities that have been discovered over time.
For exploitation to succeed, the target application must have both jackson-databind with polymorphic typing enabled AND the ibatis-sqlmap library present in the classpath. However, given the prevalence of legacy applications and complex dependency chains in enterprise environments, this combination is more common than one might expect.
Root Cause
The root cause of CVE-2020-9547 lies in jackson-databind's insufficient blocklist of dangerous classes that can be instantiated during polymorphic deserialization. While jackson-databind maintains a blocklist of known gadget classes to prevent deserialization attacks, the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class was not included in versions prior to 2.9.10.4.
The CWE-502 (Deserialization of Untrusted Data) classification accurately describes this vulnerability pattern. The library trusts type information from untrusted JSON input, allowing attackers to specify arbitrary class types for instantiation. Combined with a gadget class that performs dangerous operations during construction or property setting, this enables remote code execution.
Attack Vector
The attack vector for CVE-2020-9547 is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a malicious JSON payload to any endpoint that deserializes JSON using a vulnerable jackson-databind configuration.
The attack typically involves crafting a JSON payload that specifies the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class as the type to instantiate, along with properties that trigger JNDI lookups to attacker-controlled servers. When the payload is deserialized, the JNDI lookup retrieves and executes malicious code from the attacker's server.
The attack requires the target application to have polymorphic typing enabled (via enableDefaultTyping() or @JsonTypeInfo annotations) and the ibatis-sqlmap library in the classpath. The malicious JSON payload includes a type indicator that specifies the gadget class, along with properties that configure the JNDI lookup parameters.
Detection Methods for CVE-2020-9547
Indicators of Compromise
- Unusual outbound JNDI/LDAP/RMI connections from application servers to external IP addresses
- JSON payloads in request logs containing references to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig
- Unexpected class loading or instantiation errors in application logs referencing ibatis-sqlmap classes
- Network connections to suspicious external hosts on ports commonly used for JNDI exploitation (1099, 1389)
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect JSON payloads containing known gadget class names including JtaTransactionConfig
- Implement application-level logging to capture and analyze deserialization attempts with type information
- Use Software Composition Analysis (SCA) tools to identify applications running vulnerable jackson-databind versions
- Monitor for outbound LDAP, RMI, and JNDI connection attempts from application servers
Monitoring Recommendations
- Enable verbose logging for jackson-databind deserialization operations in non-production environments to identify polymorphic typing usage
- Implement network monitoring for unusual outbound connections from Java application servers
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious Java process behavior
- Create alerts for any access attempts to ibatis-sqlmap classes in application logs
How to Mitigate CVE-2020-9547
Immediate Actions Required
- Upgrade jackson-databind to version 2.9.10.4 or later immediately across all affected applications
- If immediate upgrade is not possible, disable polymorphic type handling by removing enableDefaultTyping() calls
- Audit all applications for use of @JsonTypeInfo annotations and assess the necessity of polymorphic deserialization
- Remove the ibatis-sqlmap library from application classpaths if it is not actively required
Patch Information
FasterXML addressed this vulnerability in jackson-databind version 2.9.10.4 by adding com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig to the blocklist of classes that cannot be instantiated during polymorphic deserialization. The fix is documented in GitHub Issue #2634.
Organizations using Oracle products should apply the relevant Critical Patch Updates as documented in the Oracle Security Alert January 2021, Oracle Security Alert October 2020, and Oracle Security Alert October 2021.
NetApp customers should refer to the NetApp Security Advisory for guidance on affected products and remediation steps.
Debian Linux users should apply updates as described in the Debian LTS Announcement.
Workarounds
- Disable default typing globally by avoiding ObjectMapper.enableDefaultTyping() and using explicit type handling instead
- Implement custom ObjectMapper configuration with PolymorphicTypeValidator to restrict allowed deserialization types
- Use @JsonTypeInfo(use = JsonTypeInfo.Id.NAME) with explicit @JsonSubTypes rather than class-based type identification
- Deploy network segmentation to prevent application servers from making outbound JNDI/LDAP connections
# Verify jackson-databind version in Maven projects
mvn dependency:tree | grep jackson-databind
# Check for vulnerable versions in Gradle projects
gradle dependencies | grep jackson-databind
# Search for polymorphic typing usage in codebase
grep -r "enableDefaultTyping\|@JsonTypeInfo" --include="*.java" .
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
