Shulou(Shulou.com)06/01 Report--

How to analyze the vulnerability of FasterXML/jackson-databind program code execution? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

0x00 vulnerability background

On March 2, 2020, 360CERT monitored that jackson-databind applied for vulnerability numbers CVE-2020-9547 and CVE-2020-9548 for two new deserialization exploitation chains.

Jackson-databind is a JSON processing library under the FasterXML project team.

The vulnerability affects jackson-databind 's processing of JSON text. An attacker can use a specially crafted request to trigger remote code execution, and successfully gain control of the server (Web service level). This vulnerability also affects fastjson with the autotype option turned on.

0x01 risk rating

360CERT assesses the vulnerability

The evaluation method, the threat level, the medium danger influence surface is general.

360CERT recommends that users update the jackson-databind/fastjson version in a timely manner. Do a good job of asset self-check / self-test / prevention to avoid attack.

0x02 affects version

Jackson-databind < 2.10.0

0x03 repair recommendation

1. Update jackson-databind to the latest version:

Https://github.com/FasterXML/jackson

At the same time, 360CERT strongly recommends troubleshooting whether Anteros-Core and ibatis-sqlmap are used in the project. The core reason for this vulnerability is the existence of special exploitation chains in Anteros-Core and ibatis-sqlmap that allow users to trigger JNDI remote class load operations. Removing Anteros-Core and ibatis-sqlmap can mitigate the impact of the vulnerability.

0x04 vulnerability proof

CVE-2020-9547:

CVE-2020-9548:

This is the answer to the question on how to analyze the execution vulnerabilities of FasterXML/jackson-databind program code. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.