Vulnerability Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | >= 2.0.0, < 2.6.7.3 |
| Debian | Debian Linux | 8.0 |
| Fedoraproject | Fedora | 30 |
| Redhat | Jboss Enterprise Application Platform | 7.2.0 |
| Redhat | Enterprise Linux | 6.0 |
| Netapp | Active Iq Unified Manager | >= 7.3 |
| Netapp | Oncommand Api Services | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Service Level Manager | - |
| Netapp | Steelstore Cloud Integrated Storage | - |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 |
| Oracle | Communications Calendar Server | 8.0.0.2.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Evolved Communications Application Server | 7.1 |
| Oracle | Database Server | 12.2.0.1 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.3.0 |
| Oracle | Goldengate Application Adapters | 19.1.0.0.0 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/2478PatchThird Party Advisory
- https://issues.apache.org/jira/browse/GEODE-7255Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e
- https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc1
- https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e8
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12e
- https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7a
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d28
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab
FAQ
What is CVE-2019-16942?
CVE-2019-16942 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON...
How severe is CVE-2019-16942?
CVE-2019-16942 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-16942?
Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Fedoraproject Fedora, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.