Idenitty portal - 14.4 Vulnerability - JSON Java Deserialization Remote Code Execution Potential – Jackson

book

Article ID: 221032

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Portal

Issue/Introduction

During PEN testing, the testing team found the below-mentioned vulnerability.

Could you please remove and let me know if possible to upgrade the latest version of the Jackson databind API on Identity portal servers 14.4

 

M

JSON Java Deserialization Remote Code Execution Potential – Jackson

Observation

One or more JSON parameters appeared to be processed by the application in an unsafe way that permitted deserialization of Java objects using the Jackson databind library/API.

Implication

It may be possible for an attacker to cause a denial of service condition or execute arbitrary code on the server due to the deserialization mechanism used by the framework.

Findings

Verbose error messages disclosed that the application used the Jackson databind library to deserialize JSON objects. It was noted that several conditions, including non-default server-side configurations to enable “Default Typing”, are required to exploit this issue to the extent of executing arbitrary commands on the server. The testing team was unable to confirm whether all conditions were met, as attempts to achieve remote code execution with known exploit payloads were unsuccessful. However, it was observed that the server did not respond when a request included a properly formatted payload. It was unclear whether this was a result of server-side processing or WAF behavior intended to drop malicious requests.

Figure 9:   An invalid Jackson payload resulted in a response time of 70 milliseconds.

 

Figure 10: A valid Jackson payload did not receive a response from the server.

 

Recommendation

Upgrade to the latest version of the Jackson databind API. All user-supplied input should be properly validated server-side to ensure the data only contains objects of expected types. All types/classes that the application allows to be deserialized should be reviewed to ensure that dangerous behavior cannot be triggered by deserializing objects of those types.

References

OWASP ASVS v4.0: 1.5.2-Input and Output Architecture

OWASP ASVS v4.0: 5.5.1-Deserialization Prevention Requirements

CVE: CVE-2017-7525

https://github.com/FasterXML/jackson-databind/issues/1599

 

Access Context

Object/Function

Parameter

HTTP Method

(Any)

/sigma/rest/*

All JSON parameters

POST

Environment

Release : 14.4

Component : SIGMA-Identity Suite

Resolution

 Engineering confirms that the reported Jackson binding vulnerability is already fixed in Identity Portal 14.4. No further action is necessary.

The Identity Portal version 14.4 already has the Jackson binding version 2.9.8 which does not suffer from the vulnerability.

The vulnerability, CVE-2017-7525, exists in the Jackson Binding version 2.8.9 and older.  The vulnerability is fixed in all later versions from 2.8.9.