Vulnerability Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | >= 2.0.0, < 2.6.7.3 |
| Debian | Debian Linux | 8.0 |
| Redhat | Jboss Enterprise Application Platform | 7.2 |
| Redhat | Enterprise Linux Server | 6.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 |
| Oracle | Communications Calendar Server | 8.0.0.2.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Evolved Communications Application Server | 7.1 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.3.0 |
| Oracle | Goldengate Application Adapters | 19.1.0.0.0 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2 |
| Oracle | Primavera Gateway | >= 17.7, <= 17.12.6 |
| Oracle | Retail Merchandising System | 15.0.3 |
| Oracle | Retail Sales Audit | 14.1 |
| Oracle | Siebel Engineering - Installer \& Deployment | <= 2.20.5 |
| Oracle | Trace File Analyzer | 12.2.0.1 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Sites | 12.2.1.3.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:4192Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/2498PatchThird Party Advisory
- https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab
- https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7d
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741
- https://lists.debian.org/debian-lts-announce/2019/12/msg00013.htmlMailing ListThird Party Advisory
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-n
- https://security.netapp.com/advisory/ntap-20191024-0005/Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
FAQ
What is CVE-2019-17531?
CVE-2019-17531 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON...
How severe is CVE-2019-17531?
CVE-2019-17531 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-17531?
Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux Server, Oracle Banking Platform.