Vulnerability Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | >= 2.0.0, < 2.6.7.3 |
| Debian | Debian Linux | 8.0 |
| Fedoraproject | Fedora | 30 |
| Redhat | Jboss Enterprise Application Platform | 7.2 |
| Redhat | Enterprise Linux Server | 6.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 |
| Oracle | Communications Calendar Server | 8.0.0.2.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Evolved Communications Application Server | 7.1 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.3.0 |
| Oracle | Goldengate Application Adapters | 19.1.0.0.0 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2 |
| Oracle | Primavera Gateway | >= 17.7, <= 17.12.6 |
| Oracle | Retail Merchandising System | 15.0.3 |
| Oracle | Retail Sales Audit | 14.1 |
| Oracle | Siebel Engineering - Installer \& Deployment | <= 2.20.5 |
| Oracle | Trace File Analyzer | 12.2.0.1 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/2478PatchThird Party Advisory
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e
- https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef373125327
- https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee6
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12e
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d28
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab
- https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7d
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741
- https://lists.debian.org/debian-lts-announce/2019/10/msg00001.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2019-16943?
CVE-2019-16943 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON...
How severe is CVE-2019-16943?
CVE-2019-16943 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-16943?
Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Fedoraproject Fedora, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux Server.