There’s no such thing as revenge. You have to let it go. This article has been https://www.yourbatman.cn included, along with all the inside have Spring technology stack, MyBatis, middleware, such as the JVM, small and beautiful column study for free. Pay attention to the public number [BAT utopia] one by one to break, in-depth grasp,
The foreword ✍
Hi, I’m YourBatman.
At noon today, I received an email from the security department of our company: Jackson has a security vulnerability. I checked and found that this is not new (it has been 10 days), so let’s talk about it.
Pretty dramatic: Aliyun submitted a Jackson serialization security vulnerability to Jackson officials. As we all know, there are two main camps in the use of JSON library in China: the internationally famous Jackson library and Fastjson produced by Alibaba.
The same functional positioning, there is no competition think also feel impossible. So when I saw that this vulnerability was reported by Aliyun, I felt that this relationship is quite delicate, silently black belly for 3 seconds, haha.
FasterXML/ Jackson-databind is a simple Java-based application library that allows Jackson to easily convert Java objects into JSON objects and XML documents, as well as JSON and XML into Java objects. Jackson is a data processing tool for Java from FasterXML. Jackson-databind is one of the components with data binding capabilities.
✍ body
Those who are familiar with Brother A know that since the last major Fastjson security vulnerability was exposed, I have been completely devoted to Jackson’s camp and gradually removed fastJson-like in my work. I even wrote an article about it: It’s time to say goodbye to Fastjson. To facilitate the migration, I also wrote a Jackson column, probably the only one on the web, which is a small but dry one
About this vulnerability
On August 25, 2020, Jackson-Databind (officially) issued a security notice regarding the Jackson-Databind serialization vulnerability, vulnerability number CVE-2020-24616.
Vulnerability details
The vulnerability stems from unsafe deserialization. A remote attacker could exploit the vulnerability to execute arbitrary code on a system through a carefully constructed malicious payload.
The underlying principle is that a chain of deserialization exploits certain classes to bypass jackson-Databind blacklist restrictions, and remote attackers can affect remote code execution by sending a special request packet (carefully constructed JSON) to the Web service interface that uses this component.
Vulnerability rating
| To evaluate the way | level |
|---|---|
| Threat level | At high risk of |
| Influence surface | Co., LTD. |
| Vulnerability scoring | 75 |
Have no idea what the rating is? For comparison, I’m going to compare Fastjson’s last (2020-05) vulnerability rating:
| To evaluate the way | level |
|---|---|
| Threat level | At high risk of |
| Influence surface | widely |
| Vulnerability scoring | 75 |
How big the difference is between limited and extensive is difficult to describe in words. For example, I think the difference between AIDS and the Novel Coronavirus pandemic, in which the social and ecological impact of the former is not so great, and the novel Coronavirus pandemic, in which we wish to shut down the world, even if it does not kill nearly as many people, is the “power” of the sphere of impact.
Affects version
Jackson – databind < 2.9.10.6
Because now we are based on Spring Boot development, for the version number I extend, convenient for you to enter the seat ha:
| The Spring version of the Boot | Jackson version |
|---|---|
| 1.5.22. RELEASE | X 2.8. |
| 2.0.9. RELEASE | X 2.9. |
| 2.1.16. RELEASE | 2.9.10.5 |
| 2.2.9. RELEASE | X 2.10. |
| 2.3.3. RELEASE | X 2.11. |
Spring Boot2.1.x should be the current mainstream version, so from the version number, it is most likely within the range of this vulnerability.
Security version
Jackson-databind 2.9.10.6 or 2.10.x or later
Story timeline
The 2020-08-05,Ali Cloud Security groupThe student reported the security breach to Jackson officials:
It took 20 days from Jackson’s official knowledge of the vulnerability on August 8.5 to the final release of the issue on August 25. Why did it take so long? I think there is only one truth: this vulnerability is really not a big impact, or the impact of the scope is narrow. Recall that the last Fastjson security vulnerability was fixed within 24 hours, not because we reacted quickly, but because the impact was too big to wait…
Repair advice
Upgrading to 2.9.10.6 or above all at once can certainly circumvent this security issue, but have you ever wondered how many services you are responsible for? How many services does your team or company have? You taste, you taste, big head?
Judging from the official reflection arc time of this vulnerability, the impact of this vulnerability is relatively small, so I summarize the repair suggestions. If you meet the following three conditions, you need to fix it immediately, otherwise you can ignore it temporarily:
- Provides apis for the public network
- The version for Jackson is earlier than 2.9.10.6
- Within the projectThere areUse (or introduce) any of the following four classes:
- br.com.anteros.dbcp.AnterosDBCPDataSource
- com.pastdev.httpcomponents.configuration.JndiConfiguration
- com.nqadmin.rowset.JdbcRowSetImpl
- org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl
The theoretical support for Condition 3 is the result of my discussion with the security team of our company and the comparison of the modified source code with the release of version 2.9.10.6. The fix only added these 4 classes to the blacklist, as shown in the screenshot below:
✍ summary
Amateurs watch the crowd, amateurs watch the door. You can’t say there’s a Fastjson bug, and Jackson has one too. That would be a bit amateur. The so-called hypothesis can be bold, but careful verification, conclusions need to be cautious.
Overall, the bug was so minor that I’ll continue my trip to Jackson.
✔
- It’s time for Fastjson to say goodbye
- 1. Get to know Jackson — the best JSON library in the world
- 2. Holy shit, Jackson wrote JSON like this
- 3. Knowing this, Fang dared to say on his resume that he could write JSON with Jackson
- 4. How are JSON strings parsed? JsonParser
- It’s just a JsonFactory. It’s interesting. I didn’t expect this
- 20 not confused, ObjectMapper use is no longer confused
- 7. Jackson: Using tree models to handle JSON is a must