CVE-2019-14379 — CRITICAL (9.8)

Q: How severe is CVE-2019-14379?

CVE-2019-14379 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-14379?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Oncommand Workflow Automation, Netapp Service Level Manager.

Vulnerability Description

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fasterxml	Jackson-Databind	>= 2.0.0, < 2.6.7.3
Debian	Debian Linux	8.0
Netapp	Active Iq Unified Manager	>= 7.3
Netapp	Oncommand Workflow Automation	-
Netapp	Service Level Manager	-
Netapp	Snapcenter	-
Fedoraproject	Fedora	29
Redhat	Jboss Enterprise Application Platform	7.2
Redhat	Openshift Container Platform	4.1
Redhat	Single Sign-On	7.3
Redhat	Enterprise Linux	7.0
Oracle	Banking Platform	2.4.0
Oracle	Communications Diameter Signaling Router	8.0.0
Oracle	Communications Instant Messaging Server	10.0.1.3.0
Oracle	Financial Services Analytical Applications Infrastructure	>= 8.0.2, <= 8.0.8
Oracle	Goldengate Stream Analytics	< 19.1.0.0.1
Oracle	Jd Edwards Enterpriseone Orchestrator	9.2
Oracle	Jd Edwards Enterpriseone Tools	9.2
Oracle	Primavera Gateway	15.2
Oracle	Primavera Unifier	>= 17.7, <= 17.12

Related Weaknesses (CWE)

CWE-1321

References

http://seclists.org/fulldisclosure/2022/Mar/23Mailing ListThird Party Advisory
https://access.redhat.com/errata/RHBA-2019:2824Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2743Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2935Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2936Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2937Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2938Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2998Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3044Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3045Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3046Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3050Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3200Third Party Advisory

FAQ

What is CVE-2019-14379?

CVE-2019-14379 is a vulnerability with a CVSS score of 9.8 (CRITICAL). SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leadi...

How severe is CVE-2019-14379?

CVE-2019-14379 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-14379?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Oncommand Workflow Automation, Netapp Service Level Manager.