Vulnerability Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | >= 2.0.0, < 2.6.7.3 |
| Debian | Debian Linux | 8.0 |
| Fedoraproject | Fedora | 29 |
| Apache | Drill | 1.16.0 |
| Redhat | Jboss Middleware Text-Only Advisories | 1.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Communications Diameter Signaling Router | 8.0.0 |
| Oracle | Communications Instant Messaging Server | 10.0.1.3.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.2, <= 8.0.8 |
| Oracle | Global Lifecycle Management Opatch | < 11.2.0.3.23 |
| Oracle | Goldengate Stream Analytics | < 19.1.0.0.1 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2 |
| Oracle | Primavera Gateway | >= 17.7, <= 17.12 |
| Oracle | Retail Customer Management And Segmentation Foundation | 17.0 |
| Oracle | Retail Xstore Point Of Service | 7.1 |
| Oracle | Siebel Engineering - Installer \& Deployment | <= 19.8 |
| Oracle | Siebel Ui Framework | <= 19.10 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:3200Third Party Advisory
- https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aaPatch
- https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1..PatchProduct
- https://github.com/FasterXML/jackson-databind/issues/2389Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395
- https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbca
- https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15
- https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e8520684907
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e
- https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5ab
- https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df326
- https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63
- https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7a
- https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12e
FAQ
What is CVE-2019-14439?
CVE-2019-14439 is a vulnerability with a CVSS score of 7.5 (HIGH). A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally ex...
How severe is CVE-2019-14439?
CVE-2019-14439 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14439?
Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Fedoraproject Fedora, Apache Drill, Redhat Jboss Middleware Text-Only Advisories.