Vulnerabilities can be tricky to detect. Identifying flaws in third-party and downline vendors can be even more difficult to detect, often because of the ways libraries interact with each other.
According to a blog posted on 15 May by Chetan Conikee, CTO and co-founder of ShiftLeft, a Java-deserialization–based remote-control-execution (RCE) vulnerability has impacted numerous software-as-a-service (SaaS) software development kits (SDKs).
"In the majority of cases, a subset of the gadget chain (circumstances to exploit the deserialization vulnerability) is being triggered by customer application’s dependency on one or more 3rd party Software-as-a-Service SDKs, which in turn depends on a vulnerable version of jackson-databind," Conikee wrote.
The gadget chain consists of a series of links uncovered by examining the application's DNA. By first delving into the application's attack surface and data flow analysis, researchers then looked at the software composition analysis, which was made up of the application logic, its open source framework and dependencies, and third-party SaaS SDKs.
"Note that this is entirely derived from connecting the semantic graph of the application with [its] direct transitive dependencies and 3rd party SDK dependencies," Conikee wrote. The culmination is looking at the attack payload detection and operational state characteristics.
These stages are sequential and time consuming, which often leaves security teams having to choose between suspending service or risking a known vulnerability being exploited.
Illustrating the widespread impact using the Jackson-Databind module of the Jackson library, Conikee wrote, "An application that uses jackson-databind will become vulnerable when the enableDefaultTyping method is called via the ObjectMapper object within the application. An attacker can thus compromise the application by sending maliciously crafted JSON input to gain direct control over a server."
A proof of concept (PoC) exploit for this vulnerability is publicly available.
Though ShiftLeft is currently in the midst of the disclosure process for the several vulnerabilities it has identified, two organizations have fixed the problem.
"We can share that the following SDKs have been impacted and we applaud these organizations for their rapid response: SendGrid (upgrade to v4.2.1) and GoodData (upgrade to v2.25.1-SNAPSHOT)," Conikee wrote. ShiftLeft will continue to offer public applause and announce each vendor as updates are provided.