CVE-2019-14893 — CRITICAL (9.8)

Q: How severe is CVE-2019-14893?

CVE-2019-14893 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-14893?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Netapp Oncommand Api Services, Netapp Steelstore Cloud Integrated Storage, Oracle Goldengate Stream Analytics.

Vulnerability Description

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fasterxml	Jackson-Databind	>= 2.8.0, < 2.8.11.5
Netapp	Oncommand Api Services	-
Netapp	Steelstore Cloud Integrated Storage	-
Oracle	Goldengate Stream Analytics	< 19.1.0.0.1

Related Weaknesses (CWE)

CWE-502 CWE-200

References

https://access.redhat.com/errata/RHSA-2020:0729Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893Issue TrackingPatchThird Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2469Third Party Advisory
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741
https://security.netapp.com/advisory/ntap-20200327-0006/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
https://access.redhat.com/errata/RHSA-2020:0729Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893Issue TrackingPatchThird Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2469Third Party Advisory
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741
https://security.netapp.com/advisory/ntap-20200327-0006/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

FAQ

What is CVE-2019-14893?

CVE-2019-14893 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when us...

How severe is CVE-2019-14893?

CVE-2019-14893 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-14893?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Netapp Oncommand Api Services, Netapp Steelstore Cloud Integrated Storage, Oracle Goldengate Stream Analytics.