search cancel

Idenitty portal - 14.4 Vulnerability - JSON Java Deserialization Remote Code Execution Potential – Jackson


Article ID: 221032


Updated On:


CA Identity Suite CA Identity Portal


During PEN testing, the testing team found the below-mentioned vulnerability.

Could you please remove and let me know if possible to upgrade the latest version of the Jackson databind API on Identity portal servers 14.4



JSON Java Deserialization Remote Code Execution Potential – Jackson


One or more JSON parameters appeared to be processed by the application in an unsafe way that permitted deserialization of Java objects using the Jackson databind library/API.


It may be possible for an attacker to cause a denial of service condition or execute arbitrary code on the server due to the deserialization mechanism used by the framework.


Verbose error messages disclosed that the application used the Jackson databind library to deserialize JSON objects. It was noted that several conditions, including non-default server-side configurations to enable “Default Typing”, are required to exploit this issue to the extent of executing arbitrary commands on the server. The testing team was unable to confirm whether all conditions were met, as attempts to achieve remote code execution with known exploit payloads were unsuccessful. However, it was observed that the server did not respond when a request included a properly formatted payload. It was unclear whether this was a result of server-side processing or WAF behavior intended to drop malicious requests.

Figure 9:   An invalid Jackson payload resulted in a response time of 70 milliseconds.


Figure 10: A valid Jackson payload did not receive a response from the server.



Upgrade to the latest version of the Jackson databind API. All user-supplied input should be properly validated server-side to ensure the data only contains objects of expected types. All types/classes that the application allows to be deserialized should be reviewed to ensure that dangerous behavior cannot be triggered by deserializing objects of those types.


OWASP ASVS v4.0: 1.5.2-Input and Output Architecture

OWASP ASVS v4.0: 5.5.1-Deserialization Prevention Requirements

CVE: CVE-2017-7525


Access Context



HTTP Method



All JSON parameters



Release : 14.4

Component : SIGMA-Identity Suite


 Engineering confirms that the reported Jackson binding vulnerability is already fixed in Identity Portal 14.4. No further action is necessary.

The Identity Portal version 14.4 already has the Jackson binding version 2.9.8 which does not suffer from the vulnerability.

The vulnerability, CVE-2017-7525, exists in the Jackson Binding version 2.8.9 and older.  The vulnerability is fixed in all later versions from 2.8.9.