VYPR
Get started
← All advisories
High severity8.1NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026

CVE-2017-4995

CVE-2017-4995

Description

An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.security:spring-security-coreMaven
>= 4.2.0.RELEASE, < 4.2.3.RELEASE4.2.3.RELEASE
org.springframework.security:spring-security-coreMaven
>= 5.0.0.M1, < 5.0.0.M25.0.0.M2

Affected products

5

Patches

2
60d459cedcf0

Fix #1599 for 2.8.9

https://github.com/FasterXML/jackson-databindTatu SalorantaApr 13, 2017via ghsa
commit
3 files changed · +91 1
  • release-notes/VERSION+2 0 modified
    @@ -8,6 +8,8 @@ Project: jackson-databind
 #1585: Invoke ServiceLoader.load() inside of a privileged block when loading
   modules using `ObjectMapper.findModules()`
  (contributed by Ivo S)
+#1599: Jackson Deserializer security vulnerability
+ (reported by ayound@github)
 
 2.8.8 (05-Apr-2017)
  • src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java+49 1 modified
    @@ -38,7 +38,36 @@ public class BeanDeserializerFactory
     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
 
     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
-    
+
+    /**
+     * Set of well-known "nasty classes", deserialization of which is considered dangerous
+     * and should (and is) prevented by default.
+     *
+     * @since 2.8.9
+     */
+    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+    static {
+        Set<String> s = new HashSet<>();
+        // Courtesy of [https://github.com/kantega/notsoserial]:
+        // (and wrt [databind#1599]
+        s.add("org.apache.commons.collections.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+        s.add("org.codehaus.groovy.runtime.MethodClosure");
+        s.add("org.springframework.beans.factory.ObjectFactory");
+        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+    }
+
+    /**
+     * Set of class names of types that are never to be deserialized.
+     *
+     * @since 2.8.9
+     */
+    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
     /*
     /**********************************************************
     /* Life-cycle
@@ -137,6 +166,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+        // For checks like [databind#1599]
+        checkIllegalTypes(ctxt, type, beanDesc);
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(ctxt, type, beanDesc);
     }
@@ -855,4 +886,21 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription
         ignoredTypes.put(type, status);
         return status.booleanValue();
     }
+
+    /**
+     * @since 2.8.9
+     */
+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+            BeanDescription beanDesc)
+        throws JsonMappingException
+    {
+        // There are certain nasty classes that could cause problems, mostly
+        // via default typing -- catch them here.
+        String full = type.getRawClass().getName();
+
+        if (_cfgIllegalClassNames.contains(full)) {
+            ctxt.reportBadTypeDefinition(beanDesc,
+                    "Illegal type (%s) to deserialize: prevented for security reasons", full);
+        }
+    }
 }
  • src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java+40 0 added
    @@ -0,0 +1,40 @@
+package com.fasterxml.jackson.databind.interop;
+
+import com.fasterxml.jackson.databind.*;
+
+/**
+ * Test case(s) to guard against handling of types that are illegal to handle
+ * due to security constraints.
+ */
+public class IllegalTypesCheckTest extends BaseMapTest
+{
+    static class Bean1599 {
+        public int id;
+        public Object obj;
+    }
+    
+    public void testIssue1599() throws Exception
+    {
+        final String JSON = aposToQuotes(
+ "{'id': 124,\n"
++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++"  {\n"
++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
++"    'transletName' : 'a.b',\n"
++"    'outputProperties' : { }\n"
++"  }\n"
++" ]\n"
++"}"
+        );
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            mapper.readValue(JSON, Bean1599.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "Illegal type");
+            verifyException(e, "to deserialize");
+            verifyException(e, "prevented for security reasons");
+        }
+    }
+}
6ce32ffd18fa

Fix #1599 for 2.7(.10)

https://github.com/FasterXML/jackson-databindTatu SalorantaApr 13, 2017via ghsa
commit
3 files changed · +65 0
  • release-notes/VERSION+2 0 modified
    @@ -6,6 +6,8 @@ Project: jackson-databind
 
 2.7.10 (not yet released)
 
+#1599: Jackson Deserializer security vulnerability
+ (reported by ayound@github)
 - Minor robustification of method resolution in `AnnotatedClass`
 
 2.7.9 (04-Feb-2017)
  • src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java+23 0 modified
    @@ -139,6 +139,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+        // For checks like [databind#1599]
+        checkIllegalTypes(ctxt, type, beanDesc);
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(ctxt, type, beanDesc);
     }
@@ -834,4 +836,25 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription
         // We default to 'false', i.e. not ignorable
         return (status == null) ? false : status.booleanValue(); 
     }
+
+    /**
+     * @since 2.8.9
+     */
+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+            BeanDescription beanDesc)
+        throws JsonMappingException
+    {
+        // There are certain nasty classes that could cause problems, mostly
+        // via default typing -- catch them here.
+        Class<?> raw = type.getRawClass();
+        String name = raw.getSimpleName();
+
+        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
+            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
+                throw JsonMappingException.from(ctxt,
+                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
+                                name));
+            }
+        }
+    }
 }
  • src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java+40 0 added
    @@ -0,0 +1,40 @@
+package com.fasterxml.jackson.databind.interop;
+
+import com.fasterxml.jackson.databind.*;
+
+/**
+ * Test case(s) to guard against handling of types that are illegal to handle
+ * due to security constraints.
+ */
+public class IllegalTypesCheckTest extends BaseMapTest
+{
+    static class Bean1599 {
+        public int id;
+        public Object obj;
+    }
+    
+    public void testIssue1599() throws Exception
+    {
+        final String JSON = aposToQuotes(
+ "{'id': 124,\n"
++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++"  {\n"
++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
++"    'transletName' : 'a.b',\n"
++"    'outputProperties' : { }\n"
++"  }\n"
++" ]\n"
++"}"
+        );
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            mapper.readValue(JSON, Bean1599.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "Illegal type");
+            verifyException(e, "to deserialize");
+            verifyException(e, "prevented for security reasons");
+        }
+    }
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.