CVE-2019-14892: Infoleak
First published: Thu Sep 19 2019(Updated: )
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<=2.8.11.4 | 2.8.11.5 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.9.0<2.9.10 | 2.9.10 |
| maven/com.fasterxml.jackson.core:jackson-databind | <=2.6.7.2 | 2.6.7.3 |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el6ea | 0:3.2.11-1.redhat_00001.1.el6ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el6ea | 0:2.3.5-6.SP3_redhat_00004.1.el6ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el6ea | 0:3.0.19-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el6ea | 0:5.3.14-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el6ea | 0:6.0.18-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el6ea | 0:2.9.10.1-1.redhat_00001.1.el6ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el6ea | 0:2.9.10-2.redhat_00003.1.el6ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el6ea | 0:1.3.5-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el6ea | 0:4.0.27-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el6ea | 0:1.3.1-7.Final_redhat_00007.1.el6ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el6ea | 0:3.7.6-3.SP2_redhat_00001.1.el6ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el6ea | 0:4.1.42-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el6ea | 0:2.5.5-21.SP12_redhat_00010.1.el6ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el6ea | 0:2.0.28-2.SP1_redhat_00001.1.el6ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el6ea | 0:2.0.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el6ea | 0:3.0.6-3.Final_redhat_00003.1.el6ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el6ea | 0:7.2.6-5.GA_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el6ea | 0:1.0.18-2.Final_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el6ea | 0:1.1.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el7ea | 0:3.2.11-1.redhat_00001.1.el7ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el7ea | 0:2.3.5-6.SP3_redhat_00004.1.el7ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el7ea | 0:3.0.19-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el7ea | 0:5.3.14-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el7ea | 0:6.0.18-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el7ea | 0:2.9.10.1-1.redhat_00001.1.el7ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el7ea | 0:2.9.10-2.redhat_00003.1.el7ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el7ea | 0:1.3.5-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el7ea | 0:4.0.27-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el7ea | 0:1.3.1-7.Final_redhat_00007.1.el7ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el7ea | 0:3.7.6-3.SP2_redhat_00001.1.el7ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el7ea | 0:4.1.42-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el7ea | 0:2.5.5-21.SP12_redhat_00010.1.el7ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el7ea | 0:2.0.28-2.SP1_redhat_00001.1.el7ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el7ea | 0:2.0.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el7ea | 0:3.0.6-3.Final_redhat_00003.1.el7ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el7ea | 0:7.2.6-5.GA_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el7ea | 0:1.0.18-2.Final_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el7ea | 0:1.1.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el8ea | 0:3.2.11-1.redhat_00001.1.el8ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el8ea | 0:2.3.5-6.SP3_redhat_00004.1.el8ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el8ea | 0:3.0.19-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el8ea | 0:5.3.14-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el8ea | 0:6.0.18-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el8ea | 0:2.9.10.1-1.redhat_00001.1.el8ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el8ea | 0:2.9.10-2.redhat_00003.1.el8ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el8ea | 0:1.3.5-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el8ea | 0:4.0.27-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el8ea | 0:1.3.1-7.Final_redhat_00007.1.el8ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el8ea | 0:3.7.6-3.SP2_redhat_00001.1.el8ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el8ea | 0:4.1.42-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el8ea | 0:2.5.5-21.SP12_redhat_00010.1.el8ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el8ea | 0:2.0.28-2.SP1_redhat_00001.1.el8ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el8ea | 0:2.0.8-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el8ea | 0:3.0.6-3.Final_redhat_00003.1.el8ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el8ea | 0:7.2.6-5.GA_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el8ea | 0:1.0.18-2.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el8ea | 0:1.1.8-1.Final_redhat_00001.1.el8ea |
| redhat/jackson-databind | <2.9.10 | 2.9.10 |
| redhat/jackson-databind | <2.6.7.3 | 2.6.7.3 |
| IBM Data Risk Manager | <=2.0.6 | |
| FasterXML jackson-databind | >=2.0.0<2.6.7.3 | |
| FasterXML jackson-databind | >=2.7.0<2.8.11.5 | |
| FasterXML jackson-databind | >=2.9.0<2.9.10 | |
| redhat decision manager | =7.0 | |
| redhat jboss data grid | ||
| redhat jboss data grid | =7.0.0 | |
| redhat jboss enterprise application platform | =7.0 | |
| Red Hat JBoss Fuse | =7.0.0 | |
| redhat openshift container platform | =4.3 | |
| Red Hat Process Automation Manager | =7.0 | |
| Apache Geode | =1.12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2020:0729
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892
- https://github.com/FasterXML/jackson-databind/issues/2462
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200904-0005/
- https://nvd.nist.gov/vuln/detail/CVE-2019-14892
- https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af
- https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b
- https://github.com/advisories/GHSA-cf6r-3wgc-h863 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2019-14892 https://nvd.nist.gov/vuln/detail/CVE-2019-14892
- https://bugzilla.redhat.com/show_bug.cgi?id=1758171
- https://access.redhat.com/errata/RHSA-2020:2333
- https://access.redhat.com/errata/RHSA-2020:0899
- https://access.redhat.com/errata/RHSA-2020:0164
- https://access.redhat.com/errata/RHSA-2020:0159
- https://access.redhat.com/errata/RHSA-2020:0160
- https://access.redhat.com/errata/RHSA-2020:0161
- https://access.redhat.com/errata/RHSA-2020:3192
- https://access.redhat.com/errata/RHSA-2020:0895
- https://access.redhat.com/errata/RHSA-2020:0445
- https://access.redhat.com/errata/RHSA-2020:2067
- https://access.redhat.com/security/cve/cve-2019-14892
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1758172
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/solutions/3279231
- https://exchange.xforce.ibmcloud.com/vulnerabilities/177106
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-14892?
CVE-2019-14892 is classified as a high severity vulnerability due to its ability to allow arbitrary code execution through polymorphic deserialization.
How do I fix CVE-2019-14892?
To resolve CVE-2019-14892, upgrade jackson-databind to version 2.9.10 or higher, 2.8.11.5, or 2.6.7.3.
What types of attacks can exploit CVE-2019-14892?
CVE-2019-14892 can be exploited by attackers through polymorphic deserialization, enabling them to execute malicious code remotely.
Which versions of jackson-databind are affected by CVE-2019-14892?
Versions of jackson-databind prior to 2.9.10, 2.8.11.5, and 2.6.7.3 are affected by CVE-2019-14892.
Are there any specific software packages vulnerable to CVE-2019-14892?
Yes, numerous packages, especially those related to Red Hat's ecosystem, implement vulnerable versions of jackson-databind that are affected by CVE-2019-14892.
- collector/github-advisory-latest
- alias/GHSA-cf6r-3wgc-h863
- alias/CVE-2019-14892
- collector/github-advisory
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/description
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-cve
- package-manager/maven
- package-manager/redhat
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- vendor/fasterxml
- canonical/fasterxml jackson-databind
- version/fasterxml jackson-databind/2.0.0
- version/fasterxml jackson-databind/2.7.0
- version/fasterxml jackson-databind/2.9.0
- vendor/redhat
- canonical/redhat decision manager
- version/redhat decision manager/7.0
- canonical/redhat jboss data grid
- version/redhat jboss data grid/7.0.0
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/7.0
- canonical/red hat jboss fuse
- version/red hat jboss fuse/7.0.0
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.3
- canonical/red hat process automation manager
- version/red hat process automation manager/7.0
- vendor/apache
- canonical/apache geode
- version/apache geode/1.12.0