Skip to content

Jackson Polymorphic Deserialization CVE Criteria

Tatu Saloranta edited this page Dec 30, 2020 · 10 revisions

What qualifies for a CVE report for Polymorphic Deserialization

This page outlines the criteria used for accepting problem described "On Jackson CVEs: Don't Panic!" -- that of possible security problems if:

  • Service accepts JSON content from untrusted senders AND
  • Service enables "Default Typing" feature (or uses equivalent @JsonTypeInfo with base type of java.lang.Object) AND
  • Service has one of 3rd libraries with "gadget" Java classes AND
  • Jackson version is 2.9.x or lower

then there may be a security issue to address by an addition to the class block list.

When such issues are reported, new checks have been added to Jackson versions 2.9 (later versions have separate prevention mechanism that does not rely on blocks) to prevent deserialization of these reported "gadget" types.

Problem with maintenance of block list

Originally reports covered widely-used Java libraries (like EHCache or Spring Web or Hibernate) and there were even one or two types found were include in (some versions of) JDK. These could be expected to be security vulnerabilities for multiple projects and as such worth blocking.

But maintaining these blocks and handling CVE id request, allocation and version releases has its cost -- and because Jackson 2.10 and later are not considered vulnerable in same sense, over time effort to keep adding to the block list has exceeded value for maintainers. For context, the current block list (Jackson-databind 2.9.10.6) contains about 90 specific classes across 30-40 libraries.

New criteria (from Sep 15, 2020): Notability

Starting on September 15, 2020, new blocks will only be added (and CVE ID allocated) for "gadget" types that are "Notable", which means inclusion in either:

  1. JDK version 1.8 (Java 8) or later (all valid types accepted, blocks added)
  2. Publicly available, "popular enough" artifact:
    • Must be listed on MvnRepository.com
    • Is depended on by at least 20 libraries (not including other components of the same framework, if part of larger set of artifacts)

Some of existing blocks do not fulfill this criteria but blocks that been added previously will not be removed simply due to lack of popularity (or accessibility).

One particular class of no-longer-accepted cases includes that of Application Server classes only available as part of AS installations -- unless they are accessible as artifacts via Maven Central (or similar publicly accessible and indexed Maven repos).

End of Jackson 2.9 support (31 Dec, 2020)

Due to availability of new minor versions (2.10.5 and 2.11.2 available as of Sep 2, 2020), no new releases of Jackson 2.9 are planned to be released, not even micro-patches, after end of 2020. It is always possible that an exception could be made for some critical issue but there are no plans to maintain the block list any further than whatever the last micro patch for 2.9.10 is on December 31, 2020.

Criteria for possible extension (from January 01, 2021)

Although no systematic additions are considered beyond end of 2020, it is possible that specifically notable cases could be addressed. The minimum level that must be satisfied is that gadget type is included in:

  1. JDK version 1.8 (Java 8) or later
  2. Publicly available, very popular artifact:
    • Must be listed on MvnRepository.com
    • Is depended on by at least 200 libraries (not including other components of the same framework, if part of larger set of artifacts)
Clone this wiki locally