CVE-2019-14439

jackson-databind: Polymorphic typing issue related to logback/JNDI

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Se detectó un problema de escritura polimórfica en jackson-databind de FasterXML versiones 2.x anteriores a 2.9.9.2. Esto ocurre cuando la Escritura Predeterminada está habilitada (globalmente o para una propiedad específica) para un endpoint JSON expuesto externamente y el servicio tiene el jar de logback en el classpath.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-07-30 CVE Reserved
2019-07-30 CVE Published
2019-08-01 First Exploit
2024-07-23 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-502: Deserialization of Untrusted Data

CAPEC

References (32)

URL	Tag	Source
https://github.com/FasterXML/jackson-databind/issues/2389	Issue Tracking
https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html	Mailing List
https://seclists.org/bugtraq/2019/Oct/6	Mailing List
https://security.netapp.com/advisory/ntap-20190814-0001	Third Party Advisory

URL	Date	SRC
https://github.com/jas502n/CVE-2019-14439	2019-08-01

URL	Date	SRC
https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b	2023-11-07
https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2020.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2020.html	2023-11-07
https://www.oracle.com/security-alerts/cpujul2020.html	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:3200	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544	2023-11-07
https://www.debian.org/security/2019/dsa-4542	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-14439	2020-03-26
https://bugzilla.redhat.com/show_bug.cgi?id=1752962	2020-03-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.0.0 < 2.6.7.3 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.6.7.3"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.7.0 < 2.7.9.6 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.6"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.8.0 < 2.8.11.4 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.4"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.9.0 < 2.9.9.2 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.9.2"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				29 Search vendor "Fedoraproject" for product "Fedora" and version "29"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Apache Search vendor "Apache"		Drill Search vendor "Apache" for product "Drill"				1.16.0 Search vendor "Apache" for product "Drill" and version "1.16.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Middleware Text-only Advisories Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories"				1.0 Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories" and version "1.0"		middleware		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.4.0 Search vendor "Oracle" for product "Banking Platform" and version "2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.4.1 Search vendor "Oracle" for product "Banking Platform" and version "2.4.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.5.0 Search vendor "Oracle" for product "Banking Platform" and version "2.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.0 Search vendor "Oracle" for product "Banking Platform" and version "2.6.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.1 Search vendor "Oracle" for product "Banking Platform" and version "2.6.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.7.0 Search vendor "Oracle" for product "Banking Platform" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				8.0.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version "8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				8.1 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version "8.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				8.2 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version "8.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				8.2.1 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version "8.2.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server"				10.0.1.3.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.0.2 <= 8.0.8 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.2 <= 8.0.8"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch"				< 11.2.0.3.23 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version " < 11.2.0.3.23"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch"				>= 12.2.0.1.0 < 12.2.0.1.19 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version " >= 12.2.0.1.0 < 12.2.0.1.19"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch"				>= 13.9.4.0.0 < 13.9.4.2.1 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version " >= 13.9.4.0.0 < 13.9.4.2.1"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch"				11.2.0.3.23 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version "11.2.0.3.23"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch"				13.9.4.2.1 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version "13.9.4.2.1"		-		Affected
Oracle Search vendor "Oracle"		Goldengate Stream Analytics Search vendor "Oracle" for product "Goldengate Stream Analytics"				< 19.1.0.0.1 Search vendor "Oracle" for product "Goldengate Stream Analytics" and version " < 19.1.0.0.1"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Orchestrator Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator"				9.2 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version "9.2"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"				9.2 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version "9.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				15.2 Search vendor "Oracle" for product "Primavera Gateway" and version "15.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				16.1 Search vendor "Oracle" for product "Primavera Gateway" and version "16.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				16.2 Search vendor "Oracle" for product "Primavera Gateway" and version "16.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				18.8.0 Search vendor "Oracle" for product "Primavera Gateway" and version "18.8.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation"				17.0 Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" and version "17.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				7.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "7.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				15.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				16.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				17.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				18.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0"		-		Affected
Oracle Search vendor "Oracle"		Siebel Engineering - Installer \& Deployment Search vendor "Oracle" for product "Siebel Engineering - Installer \& Deployment"				<= 19.8 Search vendor "Oracle" for product "Siebel Engineering - Installer \& Deployment" and version " <= 19.8"		-		Affected
Oracle Search vendor "Oracle"		Siebel Ui Framework Search vendor "Oracle" for product "Siebel Ui Framework"				<= 19.10 Search vendor "Oracle" for product "Siebel Ui Framework" and version " <= 19.10"		-		Affected