Java: Unsafe deserialization with Jackson

[artem-smotrakov]

Query

github/codeql#5900

CVE ID(s)

• CVE-2016-8749

Report

Deserialization of untrusted data with Jackson is known to be dangerous:

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

I'd like to propose to add sinks for Jackson to UnsafeDeserialization.ql.

There are multiples CVEs for deserialization gadgets for Jackson Databind:

https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html

Those CVEs create quite a lot of noise because many applications don't use polymorphic typing. The query would help check if applications are really affected by such CVEs. On the other hand, if an application actually turns on polymorphic typing, and deserializes data from remote peers, that would be a significant security risk that can be identified by this query.

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I am planning to write wrote a blog post about detecting such issues.

Result(s)

• The query detects CVE-2016-8749 in Apache Camel 2.16.4.

[ghsecuritylab]

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following:
SecLab review > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status FP Check.

For information, the evaluation workflow is the following:
SecLab review > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[artem-smotrakov]

FYI I wrote a blog post about detecting Jackson deserialization vulnerabilities with CodeQL.

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[xcorail]

Created Hackerone report 1287573 for bounty 323069 : [368] Java: Unsafe deserialization with Jackson

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed