CVE-2019-16335: Infoleak
First published: Sun Sep 15 2019(Updated: )
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.fasterxml.jackson.core:jackson-databind | <2.6.7.3 | 2.6.7.3 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<2.8.11.5 | 2.8.11.5 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.9.0<2.9.10 | 2.9.10 |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el6ea | 0:3.2.11-1.redhat_00001.1.el6ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el6ea | 0:2.3.5-6.SP3_redhat_00004.1.el6ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el6ea | 0:3.0.19-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el6ea | 0:5.3.14-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el6ea | 0:6.0.18-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el6ea | 0:2.9.10.1-1.redhat_00001.1.el6ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el6ea | 0:2.9.10-2.redhat_00003.1.el6ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el6ea | 0:1.3.5-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el6ea | 0:4.0.27-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el6ea | 0:1.3.1-7.Final_redhat_00007.1.el6ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el6ea | 0:3.7.6-3.SP2_redhat_00001.1.el6ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el6ea | 0:4.1.42-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el6ea | 0:2.5.5-21.SP12_redhat_00010.1.el6ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el6ea | 0:2.0.28-2.SP1_redhat_00001.1.el6ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el6ea | 0:2.0.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el6ea | 0:3.0.6-3.Final_redhat_00003.1.el6ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el6ea | 0:7.2.6-5.GA_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el6ea | 0:1.0.18-2.Final_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el6ea | 0:1.1.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el7ea | 0:3.2.11-1.redhat_00001.1.el7ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el7ea | 0:2.3.5-6.SP3_redhat_00004.1.el7ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el7ea | 0:3.0.19-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el7ea | 0:5.3.14-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el7ea | 0:6.0.18-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el7ea | 0:2.9.10.1-1.redhat_00001.1.el7ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el7ea | 0:2.9.10-2.redhat_00003.1.el7ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el7ea | 0:1.3.5-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el7ea | 0:4.0.27-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el7ea | 0:1.3.1-7.Final_redhat_00007.1.el7ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el7ea | 0:3.7.6-3.SP2_redhat_00001.1.el7ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el7ea | 0:4.1.42-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el7ea | 0:2.5.5-21.SP12_redhat_00010.1.el7ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el7ea | 0:2.0.28-2.SP1_redhat_00001.1.el7ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el7ea | 0:2.0.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el7ea | 0:3.0.6-3.Final_redhat_00003.1.el7ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el7ea | 0:7.2.6-5.GA_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el7ea | 0:1.0.18-2.Final_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el7ea | 0:1.1.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el8ea | 0:3.2.11-1.redhat_00001.1.el8ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el8ea | 0:2.3.5-6.SP3_redhat_00004.1.el8ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el8ea | 0:3.0.19-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el8ea | 0:5.3.14-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el8ea | 0:6.0.18-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el8ea | 0:2.9.10.1-1.redhat_00001.1.el8ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el8ea | 0:2.9.10-2.redhat_00003.1.el8ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el8ea | 0:1.3.5-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el8ea | 0:4.0.27-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el8ea | 0:1.3.1-7.Final_redhat_00007.1.el8ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el8ea | 0:3.7.6-3.SP2_redhat_00001.1.el8ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el8ea | 0:4.1.42-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el8ea | 0:2.5.5-21.SP12_redhat_00010.1.el8ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el8ea | 0:2.0.28-2.SP1_redhat_00001.1.el8ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el8ea | 0:2.0.8-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el8ea | 0:3.0.6-3.Final_redhat_00003.1.el8ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el8ea | 0:7.2.6-5.GA_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el8ea | 0:1.0.18-2.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el8ea | 0:1.1.8-1.Final_redhat_00001.1.el8ea |
| debian/jackson-databind | 2.9.8-3+deb10u3 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1 | |
| redhat/jackson-databind | <2.9.10 | 2.9.10 |
| IBM Data Risk Manager | <=2.0.6 | |
| FasterXML jackson-databind | >=2.0.0<2.6.7.3 | |
| FasterXML jackson-databind | >=2.7.0<2.8.11.5 | |
| FasterXML jackson-databind | >=2.9.0<2.9.10 | |
| Fedora | =30 | |
| Fedora | =31 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| NetApp OnCommand API Services | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp SteelStore | ||
| redhat jboss enterprise application platform | =7.2 | |
| redhat jboss enterprise application platform | =7.3 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| oracle banking platform | =2.4.0 | |
| oracle banking platform | =2.4.1 | |
| oracle banking platform | =2.5.0 | |
| oracle banking platform | =2.6.0 | |
| oracle banking platform | =2.6.1 | |
| oracle banking platform | =2.7.0 | |
| oracle banking platform | =2.7.1 | |
| Oracle Customer Management and Segmentation Foundation | =18.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.2<=8.0.8 | |
| oracle global lifecycle management opatch | <11.2.0.3.23 | |
| oracle global lifecycle management opatch | >=12.2.0.1.0<12.2.0.1.19 | |
| oracle global lifecycle management opatch | >=13.9.4.0.0<13.9.4.2.1 | |
| Oracle GoldenGate Application Adapters | =19.1.0.0.0 | |
| Oracle GoldenGate Stream Analytics | <19.1.0.0.1 | |
| oracle primavera gateway | >=17.7<=17.12 | |
| oracle primavera gateway | =15.2 | |
| oracle primavera gateway | =16.1 | |
| oracle primavera gateway | =16.2 | |
| oracle primavera gateway | =18.8.0 | |
| Oracle Customer Management and Segmentation Foundation | =17.0 | |
| Oracle Retail Xstore Office Cloud Service | =7.1 | |
| Oracle Retail Xstore Office Cloud Service | =15.0 | |
| Oracle Retail Xstore Office Cloud Service | =16.0 | |
| Oracle Retail Xstore Office Cloud Service | =17.0 | |
| Oracle Retail Xstore Office Cloud Service | =18.0 | |
| Oracle WebLogic Server | =12.2.1.3.0 |
Remedy
This vulnerability relies on com.zaxxer.hikari.HikariDataSource being present in the application's ClassPath. Hikari is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability. A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-16335
- https://github.com/FasterXML/jackson-databind/issues/2449
- https://access.redhat.com/errata/RHSA-2019:3200
- https://access.redhat.com/errata/RHSA-2020:0159
- https://access.redhat.com/errata/RHSA-2020:0160
- https://access.redhat.com/errata/RHSA-2020:0161
- https://access.redhat.com/errata/RHSA-2020:0164
- https://access.redhat.com/errata/RHSA-2020:0445
- https://access.redhat.com/errata/RHSA-2020:0729
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
- https://seclists.org/bugtraq/2019/Oct/6
- https://security.netapp.com/advisory/ntap-20191004-0002/
- https://www.debian.org/security/2019/dsa-4542
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db
- https://github.com/advisories/GHSA-85cw-hj65-qqv9 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2019-16335 https://nvd.nist.gov/vuln/detail/CVE-2019-16335
- https://bugzilla.redhat.com/show_bug.cgi?id=1755831
- https://access.redhat.com/errata/RHSA-2020:0899
- https://access.redhat.com/errata/RHSA-2020:1644
- https://access.redhat.com/errata/RHSA-2020:2333
- https://access.redhat.com/errata/RHSA-2020:3192
- https://access.redhat.com/errata/RHSA-2020:0895
- https://access.redhat.com/errata/RHSA-2020:2067
- https://access.redhat.com/security/cve/cve-2019-16335
- https://security-tracker.debian.org/tracker/CVE-2019-16335
- https://access.redhat.com/security/cve/CVE-2019-14540
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1755832
- https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
- https://access.redhat.com/solutions/3279231
- https://exchange.xforce.ibmcloud.com/vulnerabilities/167205
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb%40%3Ccommits.hbase.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-16335?
CVE-2019-16335 has been classified with a high-severity rating due to its potential impact on the integrity of applications using the affected versions of jackson-databind.
How do I fix CVE-2019-16335?
To remediate CVE-2019-16335, upgrade to jackson-databind version 2.6.7.3, 2.8.11.5, or 2.9.10 or later.
What systems are affected by CVE-2019-16335?
CVE-2019-16335 affects various systems utilizing FasterXML jackson-databind versions prior to 2.9.10, including several JBoss and Red Hat products.
Is CVE-2019-16335 related to any other vulnerabilities?
CVE-2019-16335 is related but distinct from CVE-2019-14540, addressing separate issues within the jackson-databind library.
Are there specific platforms at risk for CVE-2019-16335?
Platforms such as Red Hat Enterprise Linux, Fedora, and various JBoss applications are at risk if they run the affected versions of jackson-databind.
- collector/github-advisory-latest
- alias/GHSA-85cw-hj65-qqv9
- alias/CVE-2019-16335
- collector/github-advisory
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/description
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- package-manager/maven
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- vendor/fasterxml
- canonical/fasterxml jackson-databind
- version/fasterxml jackson-databind/2.0.0
- version/fasterxml jackson-databind/2.7.0
- version/fasterxml jackson-databind/2.9.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/30
- version/fedora/31
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- vendor/netapp
- canonical/netapp oncommand api services
- canonical/netapp oncommand workflow automation
- canonical/netapp steelstore
- vendor/redhat
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/7.2
- version/redhat jboss enterprise application platform/7.3
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- vendor/oracle
- canonical/oracle banking platform
- version/oracle banking platform/2.4.0
- version/oracle banking platform/2.4.1
- version/oracle banking platform/2.5.0
- version/oracle banking platform/2.6.0
- version/oracle banking platform/2.6.1
- version/oracle banking platform/2.7.0
- version/oracle banking platform/2.7.1
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/18.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.2
- version/oracle financial services analytical applications infrastructure/8.0.8
- canonical/oracle global lifecycle management opatch
- version/oracle global lifecycle management opatch/12.2.0.1.0
- version/oracle global lifecycle management opatch/13.9.4.0.0
- canonical/oracle goldengate application adapters
- version/oracle goldengate application adapters/19.1.0.0.0
- canonical/oracle goldengate stream analytics
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.7
- version/oracle primavera gateway/17.12
- version/oracle primavera gateway/15.2
- version/oracle primavera gateway/16.1
- version/oracle primavera gateway/16.2
- version/oracle primavera gateway/18.8.0
- version/oracle customer management and segmentation foundation/17.0
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.1
- version/oracle retail xstore office cloud service/15.0
- version/oracle retail xstore office cloud service/16.0
- version/oracle retail xstore office cloud service/17.0
- version/oracle retail xstore office cloud service/18.0
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0