CVE-2019-16943
Aliases:GHSA-fmmc-742q-jg75
Advisory lineage Upstream: 0 Downstream: 10
Modified
Published: 01 Oct 2019, 16:06
Last modified:05 Aug 2024, 01:24
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
1.89% LOW
2% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
01 Oct 2019, 16:06
Published
Vulnerability first disclosed
05 Aug 2024, 01:24
Last Modified
Vulnerability information updated
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 1.89%• Percentile: 84%
Techniques & Countermeasures
- CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Systems
- debian•debian_linux
8.0 | 9.0 | 10.0
- fasterxml•jackson-databind
≥ 2.0.0, < 2.6.7.3 | ≥ 2.7.0, < 2.8.11.5 | ≥ 2.9.0, < 2.9.10.1
- fedoraproject•fedora
30 | 31
- com.fasterxml.jackson.core•jackson-databind
≥ 2.9.0, < 2.9.10.1 | ≥ 2.7.0, < 2.8.11.5 | < 2.6.7.3
- netapp•active_iq_unified_manager
≥ 7.3 | ≥ 9.5
- netapp•oncommand_api_services
na
- netapp•oncommand_workflow_automation
na
- netapp•service_level_manager
na
- netapp•steelstore_cloud_integrated_storage
na
- oracle•banking_platform
2.4.0 | 2.4.1 | 2.5.0 | 2.6.0 | 2.6.1 | 2.6.2 | 2.7.0 | 2.7.1 | 2.9.0
- oracle•communications_billing_and_revenue_management
7.5.0.23.0 | 12.0.0.3.0
- oracle•communications_calendar_server
8.0.0.2.0 | 8.0.0.3.0
- oracle•communications_cloud_native_core_network_slice_selection_function
1.2.1
- oracle•communications_evolved_communications_application_server
7.1
- oracle•global_lifecycle_management_nextgen_oui_framework
12.2.1.3.0 | 12.2.1.4.0 | 13.9.4.2.2
- oracle•goldengate_application_adapters
19.1.0.0.0
- oracle•jd_edwards_enterpriseone_orchestrator
9.2
- oracle•jd_edwards_enterpriseone_tools
9.2
- oracle•primavera_gateway
≥ 17.7, ≤ 17.12.6 | ≥ 18.8.0, ≤ 18.8.8 | 16.1 | 16.2 | 19.12.0
- oracle•retail_merchandising_system
15.0.3 | 16.0.2 | 16.0.3
- oracle•retail_sales_audit
14.1
- oracle•siebel_engineering_-_installer_\&_deployment
≤ 2.20.5
- oracle•trace_file_analyzer
12.2.0.1 | 18c | 19c
- oracle•webcenter_portal
12.2.1.3.0 | 12.2.1.4.0
- oracle•webcenter_sites
12.2.1.3.0 | 12.2.1.4.0
- Unknown•WebLogic Server
12.2.1.3.0 | 12.2.1.4.0
- redhat•jboss_enterprise_application_platform
7.2 | 7.3
References (42)
- https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
- https://www.debian.org/security/2019/dsa-4542
- https://seclists.org/bugtraq/2019/Oct/6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
- https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0164
- https://access.redhat.com/errata/RHSA-2020:0159
- https://access.redhat.com/errata/RHSA-2020:0160
- https://access.redhat.com/errata/RHSA-2020:0161
- https://access.redhat.com/errata/RHSA-2020:0445
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://github.com/FasterXML/jackson-databind/issues/2478
- https://security.netapp.com/advisory/ntap-20191017-0006/
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-16943
- https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b
- https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20191017-0006
- https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://github.com/FasterXML/jackson-databind