Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
0
Help us understand the problem. What is going on with this article?
@shimizukawasaki

[漏洞通告]CVE-2020-8840/jackson-databind JNDI注入导致远程代码执行

More than 1 year has passed since last update.

漏洞描述

近日,亚信安全网络攻防实验室跟踪到jackson-databind更新了jndi注入的黑名单类,并发布了新版本,版本号为2.8.11.5.如果在项目包中存在该类的jar包且JDK版本满足注入版本,则可以使用JNDI注入的方式导致远程代码执行

漏洞编号

CVE-2020-8840

漏洞威胁等级

中危

不受影响范围

2.8.11.5

漏洞验证

这里选用2.10.1这个较新的版本

image.png

主要增加了org.apache.xbean.propertyeditor.JndiConverter这个类

说到jackson-databind,我们就会想起阿里巴巴开源的fastjson

随即使用这个类对fastjson进行JNDI注入尝试

image.png

成功在开启autotype的情况下,bypass fastjson 1.2.62(最新版)

修复建议

  • 1.更新到最新版本
  • 2.使用高版本JDK

时间轴

[0] 2020/02/19 NVD发布安全通告
[1] 2020/02/21 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

Reference

0
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
0
Help us understand the problem. What is going on with this article?