Skip to content

Latest commit

 

History

History
114 lines (103 loc) · 10.6 KB

mitigations.md

File metadata and controls

114 lines (103 loc) · 10.6 KB

Mitigation Strategies Analysis for fasterxml/jackson-databind

Mitigation Strategy: Keep Jackson-databind Up-to-Date

  • Description:
    1. Identify Current Version: Determine the version of jackson-databind currently used in your project by checking dependency management files (e.g., pom.xml, build.gradle, requirements.txt).
    2. Check for Updates: Regularly check for newer versions of jackson-databind on the official Jackson website, Maven Central, or security advisories.
    3. Review Release Notes: Before updating, review release notes for security patches and potential breaking changes.
    4. Update Dependency: Update jackson-databind dependency in your project's dependency management file to the latest stable version.
    5. Test Thoroughly: After updating, perform thorough testing to ensure compatibility and no regressions, including security-focused tests.
    6. Automate Updates (where possible): Use dependency management tools or bots for automated dependency update suggestions, especially for security updates.
  • List of Threats Mitigated:
    • Deserialization Vulnerabilities (RCE): Severity: High. Outdated versions are vulnerable to known RCE exploits.
    • Deserialization Vulnerabilities (DoS): Severity: Medium. Some vulnerabilities can cause DoS through parsing inefficiencies or exceptions.
    • Information Disclosure: Severity: Medium. Certain vulnerabilities might lead to information disclosure.
  • Impact:
    • Deserialization Vulnerabilities (RCE): High reduction. Patches directly address RCE vulnerabilities.
    • Deserialization Vulnerabilities (DoS): Moderate reduction. Updates often include performance and DoS-related fixes.
    • Information Disclosure: Moderate reduction. Patches can close information disclosure vulnerabilities.
  • Currently Implemented: Partially implemented. Dependency management makes updates possible, but regular and proactive updates are often missing.
    • Dependency management files define dependencies.
    • Build processes fetch dependencies.
  • Missing Implementation:
    • Automated dependency checking and update processes.
    • Regular schedule for dependency updates and security reviews.
    • Clear process for applying security patches promptly.

Mitigation Strategy: Disable Default Typing

  • Description:
    1. Locate ObjectMapper Configuration: Find where ObjectMapper instances are created and configured in your application code.
    2. Disable Default Typing: Explicitly disable default typing using objectMapper.disableDefaultTyping(); for each ObjectMapper instance.
    3. Verify Configuration: Ensure default typing is not enabled through other means (configuration files, annotations).
    4. Test Application: Thoroughly test your application after disabling default typing.
    5. Refactor if Necessary: If relying on default typing, refactor to use explicit type handling like @JsonTypeInfo, @JsonSubTypes, or custom deserializers.
  • List of Threats Mitigated:
    • Deserialization Vulnerabilities (RCE): Severity: High. Disabling default typing significantly reduces RCE attack surface.
    • Deserialization Vulnerabilities (DoS): Severity: Medium. Prevents DoS through unexpected class instantiation via default typing.
  • Impact:
    • Deserialization Vulnerabilities (RCE): High reduction. Primary mitigation against many jackson-databind RCE vulnerabilities.
    • Deserialization Vulnerabilities (DoS): Moderate reduction. Reduces DoS attacks related to uncontrolled deserialization.
  • Currently Implemented: Rarely fully implemented. Default typing is often enabled without full security awareness.
    • Developers might be aware of ObjectMapper configuration.
  • Missing Implementation:
    • Explicitly disabling default typing in ObjectMapper configurations application-wide.
    • Code reviews specifically checking for and disabling default typing.
    • Security guidelines discouraging default typing without strong justification and validation.

Mitigation Strategy: Implement PolymorphicTypeValidator

  • Description:
    1. Identify Polymorphic Deserialization Points: Locate code areas using polymorphic deserialization and default typing (or similar).
    2. Create Custom PolymorphicTypeValidator: Implement a custom PolymorphicTypeValidator to whitelist allowed base types and subtypes.
    3. Configure ObjectMapper with Validator: Set the custom validator on ObjectMapper using objectMapper.setDefaultTyping(PolymorphicTypeValidator).
    4. Define Whitelist Precisely: Define a strict whitelist, including only necessary classes. Avoid broad whitelists.
    5. Test Thoroughly: Test all polymorphic deserialization scenarios to ensure the validator works and handles disallowed types correctly.
    6. Regularly Review Whitelist: Periodically review and update the whitelist as application evolves.
  • List of Threats Mitigated:
    • Deserialization Vulnerabilities (RCE): Severity: High. A well-configured validator prevents arbitrary class deserialization, mitigating RCE.
    • Deserialization Vulnerabilities (DoS): Severity: Medium. Reduces DoS risk by controlling deserialized types.
  • Impact:
    • Deserialization Vulnerabilities (RCE): High reduction. Strong control over deserialization, significantly reduces RCE risk when default typing is needed.
    • Deserialization Vulnerabilities (DoS): Moderate reduction. Limits allowed types, reducing DoS potential.
  • Currently Implemented: Rarely implemented, especially custom validators. Default typing is used often without validation.
    • Some projects might use @JsonTypeInfo and @JsonSubTypes for controlled polymorphism.
  • Missing Implementation:
    • Custom PolymorphicTypeValidator implementations across projects.
    • Standardized validators for common use cases.
    • Documentation and training on PolymorphicTypeValidator implementation and use.

Mitigation Strategy: Class Whitelisting with Annotations (@JsonTypeInfo, @JsonSubTypes)

  • Description:
    1. Identify Polymorphic Classes: Determine base classes and valid subtypes for polymorphic deserialization.
    2. Annotate Base Class with @JsonTypeInfo: Add @JsonTypeInfo to the base class, configuring type information inclusion (e.g., use = JsonTypeInfo.Id.NAME, include = JsonTypeInfo.As.PROPERTY, property = "@type").
    3. Annotate Base Class with @JsonSubTypes: Add @JsonSubTypes to the base class, using @JsonSubTypes.Type to list allowed subtypes with associated names/IDs.
    4. Remove Default Typing (if used): Remove default typing as annotations provide controlled alternative.
    5. Test Polymorphic Deserialization: Test to ensure only whitelisted subtypes are deserialized and type information is processed correctly.
  • List of Threats Mitigated:
    • Deserialization Vulnerabilities (RCE): Severity: High. Whitelisting with annotations prevents RCE by blocking arbitrary class instantiation.
    • Deserialization Vulnerabilities (DoS): Severity: Medium. Limits deserialized types, reducing DoS potential.
  • Impact:
    • Deserialization Vulnerabilities (RCE): High reduction. Strong control over polymorphic deserialization, significantly reduces RCE risk.
    • Deserialization Vulnerabilities (DoS): Moderate reduction. Limits allowed types, reducing DoS potential.
  • Currently Implemented: Partially implemented in projects needing controlled polymorphic deserialization.
    • Projects using polymorphism might use these annotations for functionality.
  • Missing Implementation:
    • Consistent use of @JsonTypeInfo and @JsonSubTypes for all polymorphic deserialization.
    • Security reviews to ensure annotations are correctly and comprehensively applied.
    • Developer awareness of using annotations for security in polymorphic deserialization.

Mitigation Strategy: Implement Custom Deserializers with Strict Type Checking

  • Description:
    1. Identify Complex Deserialization Logic: Locate areas with complex deserialization, especially with polymorphism or specific data structures.
    2. Create Custom Deserializers: Implement custom JsonDeserializer classes for these scenarios.
    3. Implement Strict Type Checking in Deserializers: In custom deserializers, perform rigorous type checking and validation. Instantiate only explicitly expected classes.
    4. Register Custom Deserializers: Register custom deserializers with ObjectMapper using SimpleModule or other mechanisms.
    5. Test Custom Deserializers: Thoroughly test with valid and invalid inputs, including malicious payloads, to ensure correct type checking and prevent unexpected object instantiation.
  • List of Threats Mitigated:
    • Deserialization Vulnerabilities (RCE): Severity: High. Custom deserializers with strict type checking prevent RCE by ensuring only safe classes are instantiated.
    • Deserialization Vulnerabilities (DoS): Severity: Medium. Reduces DoS risk by controlling object instantiation.
    • Data Integrity Issues: Severity: High. Custom deserializers enforce data integrity through input validation.
  • Impact:
    • Deserialization Vulnerabilities (RCE): High reduction. Fine-grained control over deserialization, significantly reduces RCE risk in complex scenarios.
    • Deserialization Vulnerabilities (DoS): Moderate reduction. Limits deserialized types and complexity, reducing DoS potential.
    • Data Integrity Issues: High reduction. Enforces data validation and improves data quality.
  • Currently Implemented: Implemented in projects with complex data models or specific deserialization needs.
    • Developers might use custom deserializers for data transformation or parsing.
  • Missing Implementation:
    • Security-focused custom deserializers prioritizing type safety and preventing arbitrary object instantiation.
    • Guidelines and best practices for developing secure custom deserializers.
    • Code reviews focusing on security aspects of custom deserializers.