We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
VulnerabilitiesApplication Security

Jackson Deserialization Vulnerability

Brian VermeerAugust 21, 2019

On July 29th, 2019 a high severity Deserialization of Untrusted Data vulnerability ( CVE-2019-14379, CVE-2019-14439) affecting all versions of com.fasterxml.jackson.core:jackson-databind up to 2.9.9.2 was published.
For those of you who use Spring Boot, note that the current release (2.1.7) depends on the older vulnerable jackson-databind 2.9.9 package.

We have already updated this in our database and the maintainers of jackson-databind package created a fix. If you use Snyk, you are already informed about this vulnerability. The team maintaining the jackson-databind package already did an amazing job by creating a new version (2.9.9.3) that doesn’t contain this vulnerability. The Snyk scanner will provide this version as remediation advice so you will not be affected anymore.

TEST NOW FOR FREE

About the vulnerability

This is not the first time that the jackson-databind package was subject to a Deserialization of Untrusted Data vulnerability. In fact, there are more than a dozen of these vulnerabilities known and disclosed since 2018, not to mention that almost all of these vulnerabilities are considered to be highly severe.

The main goal of the library is to serialize Java objects into JSON and the other way around. The problem lies in deserializing JSON back to Java objects. When a poorly written Java application has the ability to deserialize a JSON string from an untrusted source, a hacker can use this, for instance, to launch a remote code execution.

If polymorphic typing is activated for Jackson, an attacker can use a gadget to launch their attack when they control the JSON input. A gadget is a class or function that has already existing executable code present in the vulnerable process. This existing executable code can be reused for malicious purposes.

For this specific vulnerability, a gadget from Ehcache could be misused when default typing in Jackson is enabled. This was quickly solved by the maintainers of jackson-databind by adding the specific gadget to the already existing blacklist. Version 2.9.9.3 was released and does not contain this vulnerability anymore.

Spring Boot

At the time  of writing this blog, the latest release version of Spring Boot is 2.1.7. This version has a dependency on the older jackson-databind 2.9.9 package.

This means that if you build a new Spring-Boot application using the Sping Boot Initialzr you will definitely have a vulnerable jackson-databind version included.

While a new version of Spring Boot, or spring-boot-starter-data-rest is not yet released, we can switch out the jackson-databind versions. One way is to exclude the individual package as shown in the Maven example below:

<dependencies>
   <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-data-rest</artifactId>
       <exclusions>
           <exclusion>
               <groupId>com.fasterxml.jackson.core</groupId>
               <artifactId>jackson-databind</artifactId>
           </exclusion>
       </exclusions>
   </dependency>
   <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>2.9.9.3</version>
   </dependency>
…
</dependencies>

A better solution is to set the Maven property to the appropriate version. This way Spring Boot imports the fixed Jackson BOM (Bill of Materials) that handles all individual Jackson dependencies. In a Gradle project, a similar thing can be set in the gradle.properties file. For more information on Maven BOM and why this is important for Spring Boot, please read the blog: “What’s a Bill Of Material BOM File“

<properties>
    <jackson.version>2.9.9.20190807</jackson.version>
</properties>

Libraries like jackson-databind are in many cases an indirect dependency that will be part of a larger framework. Therefore it is wise to scan your applications for known vulnerabilities for particularly these indirect dependencies. By doing this on a regular basis you know is you are vulnerable and might be able to fix these issues accordingly.

SPRING CLEAN YOUR APPLICATION WITH SNYK

 

By submitting this form you consent to us emailing you occasionally about our products and services.
You can unsubscribe from emails at any time, and we will never pass your email onto third parties. Privacy Policy

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • Test with GitHub
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom