When is the injustice reported, I have to be forgiven and forgive. This article has been included in https://www.yourbatman.cn , and there are small and beautiful columns such as Spring technology stack, MyBatis, JVM, middleware, etc. for free learning. Pay attention to the public account [ BAT Utopia ] to defeat one by one, get a deep grasp, and refuse to taste it.
table of Contents
✍Preface
Hello, my name is YourBatman.
I received an email from our security department at noon today: Jackson has a security breach. After checking, this matter is not very new (it looks like 10 days have passed), let's talk about it in this article.
It's quite dramatic to say: Alibaba Cloud submitted a Jackson serialization security vulnerability to Jackson. As we all know, there are two main camps about the use of JSON library in China: the internationally famous Jackson library and the domestic Fastjson produced by Alibaba .
The same functional positioning is impossible without competition. So when I saw that this vulnerability was reported by Alibaba Cloud, I felt that the relationship was quite subtle. I was silently black for 3 seconds, haha.
Attachment: FasterXML/jackson-databind is a simple Java-based application library. Jackson can easily convert Java objects into json objects and xml documents. It can also convert json and xml into Java objects. Jackson is a data processing tool suitable for Java from FasterXML, USA. jackson-databind is one of the components with data binding function.
✍Text
Friends who are familiar with Brother A know that since the last time Fastjson broke a major security vulnerability, I have completely invested in Jackson’s camp, and I have slowly moved to Fastjson in my work. This is not an article specifically written to illustrate this matter: It's time for Fastjson to say goodbye . In order to successfully complete the "migration", I also wrote one specifically, and it may be the only Jackson column on the entire network. Although it is very small, I just did it~
About this vulnerability
On August 25, 2020, jackson-databind (official) released a security notice of Jackson-databind serialization vulnerability, the vulnerability number is CVE-2020-24616.
Vulnerability details
The vulnerability stems from insecure deserialization. Remote attackers can use this vulnerability to execute arbitrary code on the system through carefully constructed malicious payloads.
In fact, its underlying principle is to use certain types of deserialization exploit chains , which can bypass the jackson-databind blacklist restriction . The remote attacker sends a specially crafted request packet (a carefully constructed JSON) to the web service interface that uses this component . , Can cause remote code execution impact.
Vulnerability rating
Evaluation method | grade |
---|---|
Threat level | High risk |
Influence surface | limited |
Vulnerability score | 75 |
No concept of this rating? Let's compare it with a reference object. I will compare the security vulnerability rating of Fastjson last (2020-05) for you:
Evaluation method | grade |
---|---|
Threat level | High risk |
Influence surface | widely |
Vulnerability score | 75 |
The difference between limited and extensive is not easy to describe in words. To make an analogy, I think it can be compared to the difference between AIDS and the new crown virus . The former has little impact on social ecology, while the latter can’t wait to stop the world, even if its fatality rate is far lower than the former, this is the scope of the impact power".
Impact version
jackson-databind < 2.9.10.6
Because everyone is now developing based on Spring Boot, I will expand on the version number so that you can check it out:
Spring Boot version | Jackson version |
---|---|
1.5.22.RELEASE | 2.8.x |
2.0.9.RELEASE | 2.9.x |
2.1.16.RELEASE | 2.9.10.5 |
2.2.9.RELEASE | 2.10.x |
2.3.3.RELEASE | 2.11.x |
Spring Boot 2.1.x should be the current mainstream version, so judging from the version number, the probability is within the range of this vulnerability.
Security version
jackson-databind 2.9.10.6 or 2.10.x and later versions
Story timeline
2020-08-05, Alibaba Cloud security team students reported this security vulnerability to Jackson:
On the same day, the official reply is expected to release a bug fix version around 8-15 to fix the second problem (waht? Know the problem after 10? ): But the
result is more than 10 days. Until the day of 8.25, Jackson released version 2.9.10.6 to fix this problem, and issued an announcement to the outside world to announce this vulnerability:
It took 20 days from Jackson’s official knowledge of this vulnerability on 8.5 to the final release of 8.25 to solve this problem . Why did it take so long? I think there is only one: the impact of this vulnerability is really small, or the scope of impact is relatively narrow. Recalling the security vulnerability that appeared in Fastjson last time, a repaired version was given within 24 hours, not because we responded quickly, but because the impact was too great to wait...
Repair suggestions
Upgrading to version 2.9.10.6 or above can certainly avoid this security problem, but have you ever thought about how many services are you responsible for? How many services does your team and company have? Your taste, your fine taste, is your head big?
Judging from the official reflection arc time for this vulnerability, the impact of this vulnerability is relatively small, so I have summarized the following repair suggestions. If you meet the following three conditions at the same time , you need to repair it immediately, otherwise you can temporarily Ignore:
- Provide API interface to the public network
- Jackson version is less than 2.9.10.6
- Any one of the following four categories is used (or introduced) in the project :
- br.com.anteros.dbcp.AnterosDBCPDataSource
- com.pastdev.httpcomponents.configuration.JndiConfiguration
- com.nqadmin.rowset.JdbcRowSetImpl
- org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl
The theoretical support of condition 3 is the result of my comparison with the 2.9.10.6 version of the release to change the source code + my discussion with the security team of our company. The repair plan is only to add these 4 categories to the blacklist. The screenshot is as follows:
✍Summary
The layman looks at the excitement, the insider looks at the doorway. It must not be said that Fastjson has a loophole. Jackson also came to the conclusion that the tie was a tie, which would be a bit layman. As the so-called hypothesis can be bold, but be careful to verify it, and draw conclusions with caution.
In general, the impact of this vulnerability is very small, so I don't need to make a fuss, I will continue my Jackson journey.
✔Recommended reading:
- Fastjson it's time to say goodbye
- 1. Get to know Jackson-the best JSON library in the world
- 2. Damn, Jackson originally wrote JSON like this
- 3. After understanding this, Fang dare to say on the resume that he would use Jackson to write JSON
- 4. How is the JSON string parsed? JsonParser understand
- 5. The JsonFactory factory is nothing but a good idea, which I didn’t expect
- 6. Twenty not confused, no longer confused when using ObjectMapper
- 7. Jackson using tree model to process JSON is an essential skill, don’t believe me
♥Follow Brother A♥
Author | A哥(YourBatman) |
---|---|
Personal site | www.yourbatman.cn |
[email protected] | |
fsx641385712 | |
活跃平台 |
|
the public | Utopia of BAT (ID: BAT-utopia) |
Knowledge planet | Utopia of BAT |
Daily article recommendation | Daily article recommendation |