Jackson is an open-source Java serialization and deserialization tool framework. It can serialize Java objects to character strings in XML and JSON formats and supports the deserialization process. Due to its high efficiency, Jackson is the parsing method built in Spring MVC.
Recently, an arbitrary code execution vulnerability has been found in versions earlier than Jackson 2.7.10 and 2.8.9. The vulnerability allows attackers to gain control over a website and therefore has a high security risk.
See the following for more information about the vulnerability.
Deserialization vulnerability in the enableDefaultTyping method in the Jackson framework
The enableDefaultTyping method in the Jackson framework has a Java deserialization code execution vulnerability. Attackers can exploit this vulnerability to run arbitrary code or system instructions on the server host and take control of the website server.
Condition and method of exploitation
Hackers can exploit this vulnerability to run code remotely.
- Jackson 2.7 < 2.7.10
- Jackson 2.8 < 2.8.9
Check whether any affected version is used.
How to fix or mitigate
The 2.7.10 patch has been officially released. We recommend that you download and install the patch.