Polymorphic deserialization with jackson-databind in the XOM
This vulnerability is related to building external libraries. In 2017, a polymorphic deserialization vulnerability (CVE-2017-7525) was reported in the jackson-databind JAR file. Nearly 30 CVEs were derived from it because one CVE was reported for each new exploitation class or gadget class. Automation Decision Services uses a recent version of jackson-databind where all of its known gadget classes are blocked. Although the known CVEs have been resolved, the community can find new gadget classes in the future. When you use your own executable object model (XOM) in Automation Decision Services, you must pay attention to your XOM Java™ classes to not permit the generic polymorphic typing in the XOM.
The jackson-databind API is used in Automation Decision Services to deserialize JSON payloads into Java objects. A gadget class is something that presents in the Java class path, whose constructor, getter or
setter, produces a side effect that can be exploited. For example,
getConnection() in a database driver can trigger a side effect.
java.lang.Object or
java.lang.Serializable. During the deserialization phase, the gadget class code
allows the application to be attacked. This is enabled in one of the following two cases:- Using
@JsonSubTypestype annotation in your Java model - Using
objectMapper.enableDefaultTyping()method. However, the JSON deserializer in Automation Decision Services does not usesand is not vulnerable.
@JsonTypeInfo(use = JsonTypeInfo.Id.NAME, include = JsonTypeInfo.As.PROPERTY)
@JsonSubTypes( {
@JsonSubTypes.Type(value = Dog.class, name = "Dog"),
@JsonSubTypes.Type(value = Cat.class, name = "Cat"),
@JsonSubTypes.Type(value = Monkey.class, name = "Monkey")
}
)
public class Animal {
…
}Animal is a base class (abstract or not) with three subclasses
Dog, Cat, and Monkey.The Java XOM class definition is annotated to enable polymorphic deserialization.