At the beginning of 2018, jackson-databind was reported to contain another remote code execution (RCE) vulnerability (CVE-2017-17485) that affects versions 2.9.3 and earlier, 220.127.116.11 and earlier, and 2.8.10 and earlier. This vulnerability is caused by jackson-dababind’s incomplete blacklist. An application that uses jackson-databind will become vulnerable when the enableDefaultTyping method is called via the ObjectMapper object within the application. An attacker can thus compromise the application by sending maliciously crafted JSON input to gain direct control over a server. Currently, a proof of concept (POC) exploit for this vulnerability has been publicly available. All users who are affected by this vulnerability should upgrade to the latest versions as soon as possible to fix this issue.
Impact of the CVE-2017-17485 Vulnerability
- Affected Versions
Jackson-databind version <= 2.9.3
Jackson-databind version <= 18.104.22.168
Jackson-databind version <= 2.8.10
- Unaffected Versions
Jackson-databind version 22.214.171.124
Jackson-databind version 126.96.36.199
Jackson-databind version 2.8.11
How to Detect the CVE-2017-17485 Vulnerability
If the enableDefaultTyping method is called via the ObjectMapper object within an application that uses the jackson-databind component, this application will become vulnerable. Developers are advised to check whether the jackson-databind component is used in applications, and if so, to further check its version number and whether the enableDefaultTyping method is called in the code. The following uses the Maven project as an example to show how to check the use of jackson-databind.
- Check whether jackson-databind is included in pom.xml and, if so, whether its version is earlier than 2.9.3.
- If the answers to the preceding two questions are both “Yes”, check whether the enableDefaultTyping method is called in the code. If so, it is recommended that the component be upgraded immediately and the web application be restarted.
How to Protect Against the CVE-2017-17485 Vulnerability
(1) Official Fix
The vendor has released new versions to fix this vulnerability by expanding the blacklist. Affected users are advised to upgrade to the latest versions as soon as possible.
The new major version (3.x) of jackson-databind will address this issue via a new API layer that provides a way to achieve whitelisting-based serialization for these polymorph classes.
(2) Use of Security Products
- Custom Rule
For immediate protection against the jackson-databind RCE vulnerability and reduction of any loss from possible exploitation of this vulnerability, we recommend that customers who have deployed NSFOCUS Web Application Firewall (WAF) configure the following custom rule before an official protection rule is provided:
|(uri * rco .*org\.springframework\.context\.support\.FileSystemXmlApplicationContext.*)|
Users can do as follows to configure this custom rule:
a. Create a custom rule by clicking Create under Security Management > Rule Database Management > Custom Rules > Custom.
c. Set other parameters as follows and then click Add:
- Set Inspection Object to Request-Body.
- Set Matching Relationship to Regular Expression Including.
- Set Inspection Value to .*org\.springframework\.context\.support\.FileSystemXmlApplicationContext.