On July 29th, 2019 a high severity Deserialization of Untrusted Data vulnerability (CVE-2019-14379, CVE-2019-14439) affecting all versions of com.fasterxml.jackson.core:jackson-databind up to 2.9.9.2 was published. For those of you who use Spring Boot, note that the current release (2.1.7) depends on the older vulnerable jackson-databind 2.9.9 package.

About the vulnerability

This is not the first time that the jackson-databind package was subject to a Deserialization of Untrusted Data vulnerability. In fact, there are more than a dozen of these vulnerabilities known and disclosed since 2018, not to mention that almost all of these vulnerabilities are considered to be highly severe.

The main goal of the library is to serialize Java objects into JSON and the other way around. The problem lies in deserializing JSON back to Java objects. When a poorly written Java application has the ability to deserialize a JSON string from an untrusted source, a hacker can use this, for instance, to launch a remote code execution.

If polymorphic typing is activated for Jackson, an attacker can use a gadget to launch their attack when they control the JSON input. A gadget is a class or function that has already existing executable code present in the vulnerable process. This existing executable code can be reused for malicious purposes.

For this specific vulnerability, a gadget from Ehcache could be misused when default typing in Jackson is enabled. This was quickly solved by the maintainers of jackson-databind by adding the specific gadget to the already existing blacklist. Version 2.9.9.3 was released and does not contain this vulnerability anymore.

Spring Boot

At the time of writing this blog, the latest release version of Spring Boot is 2.1.7. This version has a dependency on the older jackson-databind 2.9.9 package.

Read more on how to resolve this issue...