CVE-2020-9547: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). The vulnerability was discovered and disclosed in March 2020 (CVE Mitre, NVD).

The vulnerability exists in the interaction between serialization gadgets and typing functionality in jackson-databind, specifically related to the ibatis-sqlmap component. This affects versions prior to 2.9.10.4 of the library. The issue involves improper handling of the JtaTransactionConfig class from the com.ibatis.sqlmap.engine.transaction.jta package (GitHub Issue).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) indicating high severity across confidentiality, integrity and availability impacts (NetApp Advisory).

The primary mitigation is to upgrade jackson-databind to version 2.9.10.4 or later. If immediate upgrade is not possible, it's recommended to disable polymorphic deserialization for untrusted data or implement strict whitelisting of allowed classes. The fix was included in versions 2.9.10.4, 2.8.11.6, and 2.7.9.7 (GitHub Issue).