CVE-2020-35728 is a vulnerability identified in the FasterXML jackson-databind library versions 2.x prior to 2.9.10.8. The issue arises from improper handling of the interaction between serialization gadgets and typing mechanisms within the library. Specifically, it relates to the class com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool, which is an embedded version of Xalan included in the org.glassfish.web/javax.servlet.jsp.jstl package. Jackson-databind is a widely used Java library for converting Java objects to JSON and vice versa. The vulnerability stems from the deserialization process, where maliciously crafted input can exploit the way jackson-databind processes certain classes, potentially leading to unsafe deserialization. Unsafe deserialization can allow attackers to execute arbitrary code or cause denial of service by manipulating serialized data inputs. The embedded Xalan class involved is related to SQL connection pooling via JNDI, which can be abused to perform remote code execution or other malicious activities if exploited. Although no known exploits have been reported in the wild, the vulnerability is significant due to the widespread use of jackson-databind in Java applications, especially in web services and enterprise environments. The lack of a CVSS score and vendor/project information limits detailed severity quantification, but the technical nature of the flaw suggests a risk of remote code execution through deserialization attacks if unpatched versions are used. The vulnerability was published on December 27, 2020, and affects versions before 2.9.10.8, indicating that upgrading to patched versions is critical to mitigate risk.

For European organizations, the impact of CVE-2020-35728 can be substantial, particularly for those relying on Java-based web applications and services that incorporate jackson-databind for JSON processing. Exploitation could lead to remote code execution, allowing attackers to gain unauthorized access, manipulate data, disrupt services, or move laterally within networks. This can compromise confidentiality, integrity, and availability of critical systems. Sectors such as finance, healthcare, government, and telecommunications, which heavily use Java applications, could face data breaches, service outages, or regulatory non-compliance issues under GDPR. The embedded nature of the vulnerable class within common Java EE components (like GlassFish and JSTL) increases the attack surface. Additionally, the potential for exploitation without user interaction and the ease of triggering deserialization vulnerabilities via crafted network requests heighten the risk. While no active exploits are currently known, the vulnerability remains a latent threat, especially as attackers often target serialization flaws in supply chain and enterprise environments. Organizations with legacy or unpatched software stacks are particularly vulnerable, and the impact could extend to critical infrastructure and services within Europe.

1. Immediate upgrade of jackson-databind to version 2.9.10.8 or later, where the vulnerability is patched. 2. Conduct a comprehensive inventory of Java applications and services to identify usage of jackson-databind, including transitive dependencies in build tools like Maven or Gradle. 3. Implement strict input validation and sanitization on all JSON inputs to reduce the risk of malicious payloads reaching deserialization routines. 4. Employ runtime application self-protection (RASP) or application-layer firewalls that can detect and block suspicious deserialization patterns. 5. Use Java security manager policies or sandboxing to limit the privileges of applications using jackson-databind, minimizing potential damage from exploitation. 6. Monitor logs and network traffic for anomalous activity indicative of deserialization attacks, such as unexpected JNDI lookups or class loading. 7. Where possible, replace jackson-databind with safer serialization libraries that do not allow polymorphic deserialization or restrict allowed classes. 8. Educate developers and DevOps teams about secure deserialization practices and the risks associated with unsafe gadget chains. 9. For legacy systems where upgrading is not immediately feasible, consider applying custom deserialization filters or disabling default typing features in jackson-databind to reduce exposure.