|
|
|||
| Rule General Information |
|---|
| Release Date: | 2025-01-07 | |
| Rule Name: | FasterXML Jackson-databind Remote Code Execution Vulnerability (CVE-2020-9547) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | |
| Impact: | An attacker can execute arbitrary code via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://github.com/FasterXML/jackson-databind/issues/2634 https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd%40%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1%40%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a%40%3Cnotifications.zookeeper.apache.org%3E |
|
| Solutions |
|---|
| Download the patched versions and above of Jackson-Databind. Patched versions: 2.9.10.4 and above, reference: https://github.com/FasterXML/jackson-databind/tags/Upgrade Jackson-Databind by:JAR replacement:Download JAR file of the target versionReplace the old JAR file with the new oneUpdate Maven projectModify the version of com.fasterxml.jackson.core:jackson-databind in the pom.xmlUpdate Maven project: maven install |