|
|
|||
| Rule General Information |
|---|
| Release Date: | 2025-01-07 | |
| Rule Name: | FasterXML Jackson-databind Remote Code Execution Vulnerability (CVE-2020-9548) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | |
| Impact: | An attacker can execute arbitrary code via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://github.com/FasterXML/jackson-databind/issues/2634 https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd%40%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1%40%3Cdev.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb%40%3Cissues.zookeeper.apache.org%3E |
|
| Solutions |
|---|
| Download the patched versions and above of Jackson-Databind. Patched versions: 2.9.10.4 and above, reference: https://github.com/FasterXML/jackson-databind/tags/Upgrade Jackson-Databind by:JAR replacement:Download JAR file of the target versionReplace the old JAR file with the new oneUpdate Maven projectModify the version of com.fasterxml.jackson.core:jackson-databind in the pom.xmlUpdate Maven project: maven install |