CVE-2020-11113: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). The vulnerability was discovered and disclosed in March 2020 (NVD).

The vulnerability exists in the interaction between serialization gadgets and typing functionality in jackson-databind versions prior to 2.9.10.4. The issue specifically relates to the org.apache.openjpa.ee.WASRegistryManagedRuntime class from the OpenJPA library. This vulnerability has a CVSS v3.1 Base Score of 8.8 (High) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or cause other unspecified impacts when deserializing untrusted data. The vulnerability affects confidentiality, integrity, and availability of the system with High severity ratings for each (Ubuntu).

The primary mitigation is to upgrade jackson-databind to version 2.9.10.4 or later. For versions 2.10 and later, the vulnerability is mitigated by default as Safe Default Typing is enabled. Organizations should avoid enabling default typing when possible and be explicit about specifying where polymorphism is needed (Jackson Blog).

The vulnerability was reported by Xu Yuanzhen of Alibaba Cloud Security Team. Multiple vendors including NetApp, Oracle, and Debian issued security advisories and patches for their affected products (NetApp Advisory, Debian Advisory).