Jackson Serialization excludes fields

Question

First of all I want to give you a bit of context.

We have an interface A which is implemented by class B. Class B also extends abstract class C .

What we usually return when the requests are called (rest GET endpoint) are the values in B and the values in all the classes that form the hierarchy (D extending B and so on).

B contains getters to access these values. These getters are NOT DEFINED in the A interface. But the response works, the values are converted into a JSON so there's no problem so far. Jackson is able to call the getters and create the JSON based on them

Now we're upgrading Jackson to a newer version from 2.6.7. We tried 2.10.3 and upward.

The problem is that those getters are not being serialized anymore . If we define them in the interface is ok but the risk of doing this in our context is high.

Does anyone know why with the newer versions of Jackson the getters which are not defined in the interface are ignored? Is there a configuration, tweak or something which can force its previous behavior?

Later Edit 1

Important to note how the objects are created : Interface A obj = new Class C() or whichever is needed from the hierarchy;

Later Edit 2

Maybe it helps also providing the information that Spring was updated from version 4.0.0 to 5.3.0. The application uses Spring-mvc, Spring-core, it's a non-spring-boot application.

The dependencies used:

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>${com.fasterxml.jackson.databind}</version>
</dependency>

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-annotations</artifactId>
    <version>${com.fasterxml.jackson.databind}</version>
</dependency>

<dependency>
    <groupId>com.fasterxml.jackson.datatype</groupId>
    <artifactId>jackson-datatype-jdk8</artifactId>
    <version>${com.fasterxml.jackson.version}</version>
</dependency>

<dependency>
    <groupId>com.fasterxml.jackson.datatype</groupId>
    <artifactId>jackson-datatype-jsr310</artifactId>
    <version>${com.fasterxml.jackson.version}</version>
</dependency>

Answer 1

Back since 2018 or so the exploitation of serialization validation limitations in authenticity were being abused and led to vulnerability patches. These were called “serialization gadgets”; but by the time the vulnerability reports made it into public eye - many different serialization frameworks and libraries,including Jackson, had already distributed bundled packages with their installers.

For Java - some example datatypes which may be exploitable may be:

java.lang.Object
java.io.Serializable
java.util.Comparable

For Jackson - around 2.10.xa change to serialization was released, but I was unable to find a specific reference to patching Gadgets.

Typically the resolution is to blacklist serialization of Classes which contain such datatypes. Luckily, the developers often include a flag (like a ToS agreement) which you can specify to re-enable serialization of these Classes.

Unfortunately, I last programmed in Java 5 years ago - but based on quick reading I imagine the "flag" would include some form of annotation decorator or xml config tag.