CVE-2019-14439: Infoleak
First published: Tue Jul 30 2019(Updated: )
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jackson-databind | 2.9.8-3+deb10u3 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1 | |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.8.0<2.8.11.4 | 2.8.11.4 |
| maven/com.fasterxml.jackson.core:jackson-databind | <2.6.7.3 | 2.6.7.3 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<2.7.9.6 | 2.7.9.6 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.9.0<2.9.9.2 | 2.9.9.2 |
| redhat/jackson-databind | <2.9.10 | 2.9.10 |
| redhat/jackson-databind | <2.8.11.4 | 2.8.11.4 |
| redhat/jackson-databind | <2.7.9.6 | 2.7.9.6 |
| redhat/jackson-databind | <2.6.7.3 | 2.6.7.3 |
| FasterXML jackson-databind | >=2.0.0<2.6.7.3 | |
| FasterXML jackson-databind | >=2.7.0<2.7.9.6 | |
| FasterXML jackson-databind | >=2.8.0<2.8.11.4 | |
| FasterXML jackson-databind | >=2.9.0<2.9.9.2 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Fedora | =29 | |
| Fedora | =30 | |
| Apache Drill | =1.16.0 | |
| Red Hat JBoss Middleware | =1.0 | |
| oracle banking platform | =2.4.0 | |
| oracle banking platform | =2.4.1 | |
| oracle banking platform | =2.5.0 | |
| oracle banking platform | =2.6.0 | |
| oracle banking platform | =2.6.1 | |
| oracle banking platform | =2.7.0 | |
| oracle banking platform | =2.7.1 | |
| Oracle Communications Diameter Signaling Router | =8.0.0 | |
| Oracle Communications Diameter Signaling Router | =8.1 | |
| Oracle Communications Diameter Signaling Router | =8.2 | |
| Oracle Communications Diameter Signaling Router | =8.2.1 | |
| Oracle Communications Instant Messaging Server | =10.0.1.3.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.2<=8.0.8 | |
| oracle global lifecycle management opatch | <11.2.0.3.23 | |
| oracle global lifecycle management opatch | >=12.2.0.1.0<12.2.0.1.19 | |
| oracle global lifecycle management opatch | >=13.9.4.0.0<13.9.4.2.1 | |
| oracle global lifecycle management opatch | =11.2.0.3.23 | |
| oracle global lifecycle management opatch | =13.9.4.2.1 | |
| Oracle GoldenGate Stream Analytics | <19.1.0.0.1 | |
| Oracle JD Edwards EnterpriseOne Orchestrator | =9.2 | |
| Oracle JD Edwards EnterpriseOne Tools | =9.2 | |
| oracle primavera gateway | >=17.7<=17.12 | |
| oracle primavera gateway | =15.2 | |
| oracle primavera gateway | =16.1 | |
| oracle primavera gateway | =16.2 | |
| oracle primavera gateway | =18.8.0 | |
| Oracle Customer Management and Segmentation Foundation | =17.0 | |
| Oracle Retail Xstore Office Cloud Service | =7.1 | |
| Oracle Retail Xstore Office Cloud Service | =15.0 | |
| Oracle Retail Xstore Office Cloud Service | =16.0 | |
| Oracle Retail Xstore Office Cloud Service | =17.0 | |
| Oracle Retail Xstore Office Cloud Service | =18.0 | |
| Oracle Siebel Engineering - Installer & Deployment | <=19.8 | |
| Oracle Siebel User Interface Framework | <=19.10 | |
| IBM Rational Quality Manager | <=6.0.6.1 | |
| IBM Rational Quality Manager | <=6.0.6 | |
| IBM Engineering Test Management (ETM) | <=7.0.0 | |
| IBM Rational Quality Manager | <=6.0.2 | |
| IBM Engineering Workflow Management (EWM) | <=7.0 | |
| IBM Engineering Lifecycle Management | <=6.0.6.1 | |
| IBM Engineering Lifecycle Management | <=6.0.6 | |
| IBM Engineering Lifecycle Management (ELM) | <=7.0 | |
| IBM Engineering Lifecycle Management | <=6.0.2 | |
| IBM Rational DOORS Next Generation | <=6.0.2 | |
| IBM Rational DOORS Next Generation | <=6.0.6.1 | |
| IBM Rational DOORS Next Generation | <=6.0.6 | |
| IBM Rational DOORS Next Generation | <=7.0 |
Remedy
The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2019-14361
- https://security-tracker.debian.org/tracker/CVE-2019-14379
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14361
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
- https://github.com/FasterXML/jackson-databind/issues/2387
- https://github.com/FasterXML/jackson-databind/issues/2389
- https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
- https://security-tracker.debian.org/tracker/CVE-2019-14439
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933393
- https://nvd.nist.gov/vuln/detail/CVE-2019-14439
- https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
- https://access.redhat.com/errata/RHSA-2019:3200
- https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
- https://seclists.org/bugtraq/2019/Oct/6
- https://security.netapp.com/advisory/ntap-20190814-0001/
- https://www.debian.org/security/2019/dsa-4542
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://github.com/advisories/GHSA-gwp4-hfv6-p7hw (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/164744
- https://www.ibm.com/support/pages/node/6255694 (Advisory)
- https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1752964
- https://access.redhat.com/security/cve/cve-2019-14439
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2020:0983
- https://bugzilla.redhat.com/show_bug.cgi?id=1752962
- https://www.cve.org/CVERecord?id=CVE-2019-14439 https://nvd.nist.gov/vuln/detail/CVE-2019-14439
Frequently Asked Questions
What is the severity of CVE-2019-14439?
CVE-2019-14439 has a moderate severity rating due to potential security risks related to polymorphic typing in certain configurations of the Jackson-databind library.
How do I fix CVE-2019-14439?
To fix CVE-2019-14439, update jackson-databind to version 2.9.9.2, 2.8.11.4, 2.7.9.6, or 2.6.7.3 or higher.
What software is affected by CVE-2019-14439?
CVE-2019-14439 affects multiple versions of the FasterXML jackson-databind library across various applications, including those provided by Debian and IBM.
What types of attacks does CVE-2019-14439 enable?
CVE-2019-14439 allows attackers to exploit polymorphic typing issues, potentially leading to remote code execution on systems with vulnerable configurations.
Is it safe to use default typing in JSON endpoints after CVE-2019-14439?
Using default typing in JSON endpoints can be risky after CVE-2019-14439; it is advisable to avoid or limit its use unless the library is updated.
- collector/redhat-cve
- collector/debian-bugs
- alias/CVE-2019-14439
- collector/security-tracker-debian
- collector/github-advisory-latest
- alias/GHSA-gwp4-hfv6-p7hw
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- agent/tags
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- package-manager/debian
- package-manager/maven
- package-manager/redhat
- vendor/fasterxml
- canonical/fasterxml jackson-databind
- version/fasterxml jackson-databind/2.0.0
- version/fasterxml jackson-databind/2.7.0
- version/fasterxml jackson-databind/2.8.0
- version/fasterxml jackson-databind/2.9.0
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/29
- version/fedora/30
- vendor/apache
- canonical/apache drill
- version/apache drill/1.16.0
- vendor/redhat
- canonical/red hat jboss middleware
- version/red hat jboss middleware/1.0
- vendor/oracle
- canonical/oracle banking platform
- version/oracle banking platform/2.4.0
- version/oracle banking platform/2.4.1
- version/oracle banking platform/2.5.0
- version/oracle banking platform/2.6.0
- version/oracle banking platform/2.6.1
- version/oracle banking platform/2.7.0
- version/oracle banking platform/2.7.1
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.1
- version/oracle communications diameter signaling router/8.2
- version/oracle communications diameter signaling router/8.2.1
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.3.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.2
- version/oracle financial services analytical applications infrastructure/8.0.8
- canonical/oracle global lifecycle management opatch
- version/oracle global lifecycle management opatch/12.2.0.1.0
- version/oracle global lifecycle management opatch/13.9.4.0.0
- version/oracle global lifecycle management opatch/11.2.0.3.23
- version/oracle global lifecycle management opatch/13.9.4.2.1
- canonical/oracle goldengate stream analytics
- canonical/oracle jd edwards enterpriseone orchestrator
- version/oracle jd edwards enterpriseone orchestrator/9.2
- canonical/oracle jd edwards enterpriseone tools
- version/oracle jd edwards enterpriseone tools/9.2
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.7
- version/oracle primavera gateway/17.12
- version/oracle primavera gateway/15.2
- version/oracle primavera gateway/16.1
- version/oracle primavera gateway/16.2
- version/oracle primavera gateway/18.8.0
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/17.0
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.1
- version/oracle retail xstore office cloud service/15.0
- version/oracle retail xstore office cloud service/16.0
- version/oracle retail xstore office cloud service/17.0
- version/oracle retail xstore office cloud service/18.0
- canonical/oracle siebel engineering - installer & deployment
- version/oracle siebel engineering - installer & deployment/19.8
- canonical/oracle siebel user interface framework
- version/oracle siebel user interface framework/19.10
- vendor/ibm
- canonical/ibm rational quality manager
- version/ibm rational quality manager/6.0.6.1
- version/ibm rational quality manager/6.0.6
- canonical/ibm engineering test management (etm)
- version/ibm engineering test management (etm)/7.0.0
- version/ibm rational quality manager/6.0.2
- canonical/ibm engineering workflow management (ewm)
- version/ibm engineering workflow management (ewm)/7.0
- canonical/ibm engineering lifecycle management
- version/ibm engineering lifecycle management/6.0.6.1
- version/ibm engineering lifecycle management/6.0.6
- canonical/ibm engineering lifecycle management (elm)
- version/ibm engineering lifecycle management (elm)/7.0
- version/ibm engineering lifecycle management/6.0.2
- canonical/ibm rational doors next generation
- version/ibm rational doors next generation/6.0.2
- version/ibm rational doors next generation/6.0.6.1
- version/ibm rational doors next generation/6.0.6
- version/ibm rational doors next generation/7.0