CVE-2019-16943

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
fasterxmljackson-databind
2.0.0 ≤
𝑥
< 2.6.7.3
fasterxmljackson-databind
2.7.0 ≤
𝑥
< 2.8.11.5
fasterxmljackson-databind
2.9.0 ≤
𝑥
< 2.9.10.1
debiandebian_linux
8.0
debiandebian_linux
9.0
debiandebian_linux
10.0
redhatjboss_enterprise_application_platform
7.2
redhatjboss_enterprise_application_platform
7.3
redhatjboss_enterprise_application_platform
7.2
redhatjboss_enterprise_application_platform
7.3
oraclebanking_platform
2.4.0
oraclebanking_platform
2.4.1
oraclebanking_platform
2.5.0
oraclebanking_platform
2.6.0
oraclebanking_platform
2.6.1
oraclebanking_platform
2.6.2
oraclebanking_platform
2.7.0
oraclebanking_platform
2.7.1
oraclebanking_platform
2.9.0
oraclecommunications_billing_and_revenue_management
7.5.0.23.0
oraclecommunications_billing_and_revenue_management
12.0.0.3.0
oraclecommunications_calendar_server
8.0.0.2.0
oraclecommunications_calendar_server
8.0.0.3.0
oraclecommunications_cloud_native_core_network_slice_selection_function
1.2.1
oraclecommunications_evolved_communications_application_server
7.1
oracleglobal_lifecycle_management_nextgen_oui_framework
12.2.1.3.0
oracleglobal_lifecycle_management_nextgen_oui_framework
12.2.1.4.0
oracleglobal_lifecycle_management_nextgen_oui_framework
13.9.4.2.2
oraclegoldengate_application_adapters
19.1.0.0.0
oraclejd_edwards_enterpriseone_orchestrator
9.2
oraclejd_edwards_enterpriseone_tools
9.2
oracleprimavera_gateway
17.7 ≤
𝑥
≤ 17.12.6
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.8
oracleprimavera_gateway
16.1
oracleprimavera_gateway
16.2
oracleprimavera_gateway
19.12.0
oracleretail_merchandising_system
15.0.3
oracleretail_merchandising_system
16.0.2
oracleretail_merchandising_system
16.0.3
oracleretail_sales_audit
14.1
oraclesiebel_engineering_-_installer_\&_deployment
𝑥
≤ 2.20.5
oracletrace_file_analyzer
12.2.0.1
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
oraclewebcenter_sites
12.2.1.3.0
oraclewebcenter_sites
12.2.1.4.0
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
netappactive_iq_unified_manager
7.3 ≤
netappactive_iq_unified_manager
7.3 ≤
netappactive_iq_unified_manager
9.5 ≤
netapponcommand_api_services
-
netapponcommand_workflow_automation
-
netappservice_level_manager
-
netappsteelstore_cloud_integrated_storage
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackson-databind
bullseye (security)
2.12.1-1+deb11u1
fixed
bullseye
2.12.1-1+deb11u1
fixed
sid
2.14.0-1
fixed
trixie
2.14.0-1
fixed
bookworm
2.14.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackson-databind
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
ignored
disco
ignored
bionic
needs-triage
xenial
Fixed 2.4.2-3ubuntu0.1~esm2
released
trusty
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0445
https://github.com/FasterXML/jackson-databind/issues/2478
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6
https://security.netapp.com/advisory/ntap-20191017-0006/
https://www.debian.org/security/2019/dsa-4542
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0445
https://github.com/FasterXML/jackson-databind/issues/2478
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6
https://security.netapp.com/advisory/ntap-20191017-0006/
https://www.debian.org/security/2019/dsa-4542
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html