logo

Database

Insecure deserialization In com.fasterxml.jackson.core:jackson-databind

Description

jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-169432. NVD-2019-169433. OSV-2019-169434. OSV-DEBIAN-2019-169435. GCVE-2019-169436. lists.debian.org7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. SECURITY-TRACKER-CVE-2019-16943

References

1. https://github.com/FasterXML/jackson-databind/issues/24782. https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b3. https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f4. https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E5. https://lists.fedoraproject.org/archives/list/[email protected]/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K436. https://lists.fedoraproject.org/archives/list/[email protected]/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT7. https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e80628. https://seclists.org/bugtraq/2019/Oct/69. https://security.netapp.com/advisory/ntap-20191017-000610. https://www.debian.org/security/2019/dsa-454211. https://www.oracle.com//security-alerts/cpujul2021.html12. https://www.oracle.com/security-alerts/cpuapr2020.html13. https://www.oracle.com/security-alerts/cpujan2020.html14. https://www.oracle.com/security-alerts/cpujul2020.html15. https://www.oracle.com/security-alerts/cpuoct2020.html16. https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E17. https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E18. https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E19. https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E20. https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E21. https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E22. https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E23. https://github.com/dawetmaster/CVE-2019-16943-jackson-databind-vulnerable

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.