CVE-2020-10673

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 20.90%• Percentile: 96%

Techniques & Countermeasures

• CWE-502•Deserialization of Untrusted Data

  The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

• debian•debian_linux

  8.0

• fasterxml•jackson-databind

  ≥ 2.0.0, < 2.6.7.4 | ≥ 2.9.0, < 2.9.10.4

• com.fasterxml.jackson.core•jackson-databind

  ≥ 2.7.0, < 2.9.10.4 | ≥ 2.0.0, < 2.6.7.4

• netapp•steelstore_cloud_integrated_storage

  na

• oracle•agile_plm

  9.3.6

• oracle•autovue_for_agile_product_lifecycle_management

  21.0.2

• oracle•banking_digital_experience

  18.1 | 18.2 | 18.3 | 19.1 | 19.2 | 20.1

• oracle•banking_platform

  ≥ 2.4.0, ≤ 2.9.0

• oracle•communications_calendar_server

  8.0.0.4.0

• oracle•communications_contacts_server

  8.0.0.4.0 | 8.0.0.5.0

• oracle•communications_diameter_signaling_router

  ≥ 8.0.0, ≤ 8.2.2

• oracle•communications_element_manager

  ≥ 8.2.0, ≤ 8.2.2

• oracle•communications_evolved_communications_application_server

  7.1

• oracle•communications_instant_messaging_server

  10.0.1.4.0

• oracle•communications_network_charging_and_control

  ≥ 12.0.0, ≤ 12.0.3 | 6.0.1

• oracle•communications_session_report_manager

  ≥ 8.2.0, ≤ 8.2.2

• oracle•communications_session_route_manager

  ≥ 8.2.0, ≤ 8.2.2

• oracle•enterprise_manager_base_platform

  13.3.0.0 | 13.4.0.0

• oracle•financial_services_analytical_applications_infrastructure

  ≥ 8.0.6, ≤ 8.1.0

• oracle•financial_services_institutional_performance_analytics

  8.0.6 | 8.0.7 | 8.1.0

• oracle•financial_services_price_creation_and_discovery

  8.0.6 | 8.0.7

• oracle•financial_services_retail_customer_analytics

  8.0.6

• oracle•global_lifecycle_management_opatch

  < 12.2.0.1.20

• oracle•insurance_policy_administration_j2ee

  11.0.2.25 | 11.1.0.15

• oracle•jd_edwards_enterpriseone_orchestrator

  < 9.2.4.2

• oracle•jd_edwards_enterpriseone_tools

  < 9.2.4.2

• oracle•primavera_unifier

  ≥ 17.7, ≤ 17.12 | 16.1 | 16.2 | 18.8 | 19.12

• oracle•retail_merchandising_system

  15.0

• oracle•retail_sales_audit

  14.1

• oracle•retail_service_backbone

  14.1 | 15.0 | 16.0

• oracle•retail_xstore_point_of_service

  15.0 | 16.0 | 17.0 | 18.0 | 19.0

• Unknown•WebLogic Server

  12.2.1.3.0 | 12.2.1.4.0

References (13)

• https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html
• https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://security.netapp.com/advisory/ntap-20200403-0002/
• https://github.com/FasterXML/jackson-databind/issues/2660
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://nvd.nist.gov/vuln/detail/CVE-2020-10673
• https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15
• https://github.com/FasterXML/jackson-databind
• https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://security.netapp.com/advisory/ntap-20200403-0002