Security Bulletin number: CNTA-2017-0030
Recently, the national information security vulnerabilities sharing platform CNVD）included CNVD white hat（ID: ayound）sent to the Jackson framework enableDefaultTyping method of deserialization vulnerability CNVD-2017-04483 it. An attacker could exploit the vulnerability in the server on the host to execute arbitrary code or system commands, obtain the web server control.
A, vulnerability analysis
Jackson is a Suite of open source java for serialization and de-serialization tools framework, the java object serialization to xml and json format of the string and to provide a corresponding deserialization process. Due to its analytical efficiency is HIGH, the current is a Spring MVC built-in the use of analytical methods. 4 on 15 May, the CNVD white hat(ID:ayound)submitted Jackson the presence of the Java deserialization vulnerability of the situation, the CNVD the Secretariat carried out the local environment to verify, confirm the vulnerability under certain conditions can be triggered, to achieve arbitrary code and system command execution purposes. The vulnerability of the trigger conditions is the ObjectMapper to deserialize before calling the enableDefaultTyping method. This method allows the json string specified in the anti-serialized java object class name, and in the use of Object, Map, List, etc. of the object, can be induced deserialization vulnerability.
CNVD of the vulnerability of the integrated rating of“high risk”it.
Second, the vulnerability affects the range
Vulnerability Jackson 2.7 version<2.7.10, the 2.8 version<2.8.9 on. According to the CNVD the Secretariat of the Jackson application of the results of the census, current on the Internet about 9. 1 million Web servers calibrated to use the Jackson framework, in which the top five countries are: the United States accounted for more than 68. 8 percent, China 8.2%, the United Kingdom, 4.1 per cent, in Germany 2.0 per cent, in the Netherlands（2.0%）。 Currently, no further sampling to verify the actual affected the ratio.
Third, the protection recommendations
Jackson developer has to ayound submitted a response, and released a fix update. Users need to update to 2. 7. 10 or 2. 8. 9 version, while the follow-up to the release of the 2. 9. 0 version is also added to the vulnerability of the repair measures.
Reference: reference link
https://github.com/FasterXML/jackson-databind/issues/1599 (fix Safety recommendations)