CVE-2019-16942

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
fasterxmljackson-databind
2.0.0 ≤
𝑥
< 2.6.7.3
fasterxmljackson-databind
2.8.0 ≤
𝑥
< 2.8.11.5
fasterxmljackson-databind
2.9.0 ≤
𝑥
< 2.9.10.1
debiandebian_linux
8.0
debiandebian_linux
9.0
debiandebian_linux
10.0
redhatjboss_enterprise_application_platform
7.2.0
redhatjboss_enterprise_application_platform
7.3
netappactive_iq_unified_manager
7.3 ≤
netappactive_iq_unified_manager
7.3 ≤
netappactive_iq_unified_manager
9.5 ≤
netapponcommand_api_services
-
netapponcommand_workflow_automation
-
netappservice_level_manager
-
netappsteelstore_cloud_integrated_storage
-
oraclebanking_platform
2.4.0
oraclebanking_platform
2.4.1
oraclebanking_platform
2.5.0
oraclebanking_platform
2.6.0
oraclebanking_platform
2.6.1
oraclebanking_platform
2.6.2
oraclebanking_platform
2.7.0
oraclebanking_platform
2.7.1
oraclebanking_platform
2.9.0
oraclecommunications_billing_and_revenue_management
7.5.0.23.0
oraclecommunications_billing_and_revenue_management
12.0.0.3.0
oraclecommunications_calendar_server
8.0.0.2.0
oraclecommunications_calendar_server
8.0.0.3.0
oraclecommunications_cloud_native_core_network_slice_selection_function
1.2.1
oraclecommunications_evolved_communications_application_server
7.1
oracledatabase_server
12.2.0.1
oracleglobal_lifecycle_management_nextgen_oui_framework
12.2.1.3.0
oracleglobal_lifecycle_management_nextgen_oui_framework
12.2.1.4.0
oracleglobal_lifecycle_management_nextgen_oui_framework
13.9.4.2.2
oraclegoldengate_application_adapters
19.1.0.0.0
oraclejd_edwards_enterpriseone_orchestrator
9.2
oraclejd_edwards_enterpriseone_tools
9.2
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.6
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.8
oracleprimavera_gateway
19.12.0
oracleprimavera_unifier
17.7 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
16.1
oracleprimavera_unifier
16.2
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleretail_merchandising_system
15.0.3
oracleretail_merchandising_system
16.0.2
oracleretail_merchandising_system
16.0.3
oracleretail_sales_audit
14.1
oraclesiebel_engineering_-_installer_\&_deployment
𝑥
≤ 2.20.5
oraclesiebel_ui_framework
𝑥
≤ 20.5
oraclesiebel_ui_framework
20.6
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
oraclewebcenter_sites
12.2.1.3.0
oraclewebcenter_sites
12.2.1.4.0
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackson-databind
bullseye (security)
2.12.1-1+deb11u1
fixed
bullseye
2.12.1-1+deb11u1
fixed
sid
2.14.0-1
fixed
trixie
2.14.0-1
fixed
bookworm
2.14.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackson-databind
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
ignored
disco
ignored
bionic
needs-triage
xenial
Fixed 2.4.2-3ubuntu0.1~esm2
released
trusty
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2019:3901
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0445
https://github.com/FasterXML/jackson-databind/issues/2478
https://issues.apache.org/jira/browse/GEODE-7255
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6
https://security.netapp.com/advisory/ntap-20191017-0006/
https://www.debian.org/security/2019/dsa-4542
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://access.redhat.com/errata/RHSA-2019:3901
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0445
https://github.com/FasterXML/jackson-databind/issues/2478
https://issues.apache.org/jira/browse/GEODE-7255
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6
https://security.netapp.com/advisory/ntap-20191017-0006/
https://www.debian.org/security/2019/dsa-4542
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html