Spring Boot & jackson-databind Frustration

March 16, 2019

​If you use Spring Boot framework, you will likely bump into ‘Unsafe Deserialization’ issues highlighted in your static code security analysis results.  Dealing with this type of vulnerability is one of those issues that tends to be one of the more labor intensive for software development teams.

A remote, anonymous, arbitrary code execution vulnerability in the open source component ‘jackson-databind’ is the most common root cause for these issues because spring-boot-starter-actuator uses it as a dependency.  ‘Unsafe Deserialization’ is typically addressed by upgrading com.fasterxml.jackson.core:jackson-databind — but because it is tightly-coupled with spring-boot-starter-actuator, that is problematic.  If your application tolerates it, the quickest fix is to upgrade Spring-Boot… to a version that uses jackson-databind version 2.9.8 (or above [as of today]).  The ‘available’ versions of ‘safe-enough‘ Spring Boot keep shrinking.  The key challenge is jackson-databind’s use of a black-list to resist specific attack payloads.  Every time there is a new attack gadget released, jackson-databind goes from ‘safe-enough’ to CVSSv3 10 (whole-house-fire) overnight.  Because versioning Spring boot… components requires significant effort, there is a lag between any new jackson-databind release and new Spring-boot releases that incorporate it.

If the application (the whole Spring-enabled stack) under evaluation does not employ beans nor does it expose any listening TCP ports (& no RMI, JMSInvoker, HTTPInvoker, etc., and you find no use of readObject(), readObjectNoData(), readResolve(), or readExternal() either), and you can produce some evidence of that, then that application may not be vulnerable.  It can be hard to prove a negative, and because of the depth & complexity of some Spring-boot-enabled applications (outside of the code that you write) that threshold can be a high bar.  So,…circle back to “If your application tolerates it, the quickest fix is to upgrade spring-boot-starter-actuator to a version that uses Jackson-databind version 2.9.8 (or above).”

REFERENCES:

CVE-2017-17485: FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. FROM: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

Variants of this issue have been appearing and reappearing since 2011 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2894).

Also:
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111
https://nvd.nist.gov/vuln/detail/CVE-2018-7489
https://nvd.nist.gov/vuln/detail/CVE-2017-7525
https://fortiguard.com/encyclopedia/ips/46004


%d bloggers like this: