CVE-2020-25649:XML External Entity (XXE) vulnerability in FasterXML Jackson Databind allows attackers to exploit improper entity expansion.

splash
Back

Description Preview

A vulnerability was discovered in FasterXML Jackson Databind where the library did not properly secure XML entity expansion. This flaw makes applications using Jackson Databind susceptible to XML External Entity (XXE) attacks. An attacker could exploit this vulnerability to access files on the system, perform server-side request forgery (SSRF), or conduct denial of service attacks by exploiting the way XML parsers process external entity references. This vulnerability primarily impacts data integrity, but could also lead to information disclosure or denial of service conditions depending on the implementation.

Overview

CVE-2020-25649 affects FasterXML Jackson Databind, a popular Java library used for JSON and XML processing. The vulnerability occurs because the library does not properly secure XML entity expansion, making it vulnerable to XXE attacks. When processing XML input with external entity references, the parser may resolve these references and allow an attacker to access local files, make network connections to internal systems, or cause denial of service through resource exhaustion. This vulnerability is particularly concerning for applications that process untrusted XML input using Jackson Databind. The issue affects multiple versions of the library and has been widely acknowledged across various Apache projects and other software that depends on Jackson Databind.

Remediation

To remediate this vulnerability, users should update to a patched version of Jackson Databind:

  • For Jackson 2.10.x users, update to version 2.10.5.1 or later
  • For Jackson 2.11.x users, update to version 2.11.0 or later
  • For Jackson 2.12.x users, update to version 2.12.1 or later

If immediate updating is not possible, consider implementing one of the following mitigations:

  1. Configure XML parsers to disable external entity resolution
  2. Implement input validation to reject XML containing DOCTYPE declarations
  3. Use a security gateway or WAF to filter XML input containing suspicious entity declarations

Organizations using software that depends on Jackson Databind should check if their vendor has released patches addressing this vulnerability and apply them as soon as possible.

References

  • Original issue: https://github.com/FasterXML/jackson-databind/issues/2589
  • Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1887664
  • Oracle Security Advisory: https://www.oracle.com/security-alerts/cpuApr2021.html
  • NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20210108-0007/
  • Apache Kafka fix: https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E
  • Apache ZooKeeper fix: https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E
  • Apache Hive fix: https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E
  • MITRE CWE-611: https://cwe.mitre.org/data/definitions/611.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Public Administration
    Public Administration
  3. Finance and Insurance
    Finance and Insurance
  4. Health Care & Social Assistance
    Health Care & Social Assistance
  5. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  6. Retail Trade
    Retail Trade
  7. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  8. Educational Services
    Educational Services
  9. Transportation & Warehousing
    Transportation & Warehousing
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Utilities
    Utilities
  12. Other Services (except Public Administration)
    Other Services (except Public Administration)
  13. Wholesale Trade
    Wholesale Trade
  14. Accommodation & Food Services
    Accommodation & Food Services
  15. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  16. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  17. Construction
    Construction
  18. Information
    Information
  19. Mining
    Mining
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database