edit-icon download-icon

[Vulnerability notice] Deserialization vulnerability in the enableDefaultTyping method in the Jackson framework

Last Updated: Apr 08, 2018

Jackson is an open-source Java serialization and deserialization tool framework. It can serialize Java objects to character strings in XML and JSON formats and supports the deserialization process. Due to its high efficiency, Jackson is the parsing method built in Spring MVC.

Recently, an arbitrary code execution vulnerability has been found in versions earlier than Jackson 2.7.10 and 2.8.9. The vulnerability allows attackers to gain control over a website and therefore has a high security risk.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

Deserialization vulnerability in the enableDefaultTyping method in the Jackson framework

Vulnerability rating

High

Vulnerability description

The enableDefaultTyping method in the Jackson framework has a Java deserialization code execution vulnerability. Attackers can exploit this vulnerability to run arbitrary code or system instructions on the server host and take control of the website server.

Condition and method of exploitation

Hackers can exploit this vulnerability to run code remotely.

Affected scope

  • Jackson 2.7 < 2.7.10
  • Jackson 2.8 < 2.8.9

Vulnerability detection

Check whether any affected version is used.

How to fix or mitigate

The 2.7.10 patch has been officially released. We recommend that you download and install the patch.

Reference

[1]. http://www.cnvd.org.cn/flaw/show/CNVD-2017-04483
[2]. https://github.com/FasterXML/jackson-databind/issues/1599

Thank you! We've received your feedback.