Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-16943

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Published

2019-10-01T17:15:10.400

Last Modified

2024-11-21T04:31:23.737

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fasterxml	jackson-databind	< 2.6.7.3	Yes
Application	fasterxml	jackson-databind	< 2.8.11.5	Yes
Application	fasterxml	jackson-databind	< 2.9.10.1	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes
Application	redhat	jboss_enterprise_application_platform	7.2	Yes
Application	redhat	jboss_enterprise_application_platform	7.3	Yes
Operating System	redhat	enterprise_linux_server	6.0	No
Operating System	redhat	enterprise_linux_server	7.0	No
Application	redhat	jboss_enterprise_application_platform	7.2	Yes
Application	redhat	jboss_enterprise_application_platform	7.3	Yes
Operating System	redhat	enterprise_linux_server	8.0	No
Application	oracle	banking_platform	2.4.0	Yes
Application	oracle	banking_platform	2.4.1	Yes
Application	oracle	banking_platform	2.5.0	Yes
Application	oracle	banking_platform	2.6.0	Yes
Application	oracle	banking_platform	2.6.1	Yes
Application	oracle	banking_platform	2.6.2	Yes
Application	oracle	banking_platform	2.7.0	Yes
Application	oracle	banking_platform	2.7.1	Yes
Application	oracle	banking_platform	2.9.0	Yes
Application	oracle	communications_billing_and_revenue_management	7.5.0.23.0	Yes
Application	oracle	communications_billing_and_revenue_management	12.0.0.3.0	Yes
Application	oracle	communications_calendar_server	8.0.0.2.0	Yes
Application	oracle	communications_calendar_server	8.0.0.3.0	Yes
Application	oracle	communications_cloud_native_core_network_slice_selection_function	1.2.1	Yes
Application	oracle	communications_evolved_communications_application_server	7.1	Yes
Application	oracle	global_lifecycle_management_nextgen_oui_framework	12.2.1.3.0	Yes
Application	oracle	global_lifecycle_management_nextgen_oui_framework	12.2.1.4.0	Yes
Application	oracle	global_lifecycle_management_nextgen_oui_framework	13.9.4.2.2	Yes
Application	oracle	goldengate_application_adapters	19.1.0.0.0	Yes
Application	oracle	jd_edwards_enterpriseone_orchestrator	9.2	Yes
Application	oracle	jd_edwards_enterpriseone_tools	9.2	Yes
Application	oracle	primavera_gateway	≤ 17.12.6	Yes
Application	oracle	primavera_gateway	≤ 18.8.8	Yes
Application	oracle	primavera_gateway	16.1	Yes
Application	oracle	primavera_gateway	16.2	Yes
Application	oracle	primavera_gateway	19.12.0	Yes
Application	oracle	retail_merchandising_system	15.0.3	Yes
Application	oracle	retail_merchandising_system	16.0.2	Yes
Application	oracle	retail_merchandising_system	16.0.3	Yes
Application	oracle	retail_sales_audit	14.1	Yes
Application	oracle	siebel_engineering_-_installer_\&_deployment	≤ 2.20.5	Yes
Application	oracle	trace_file_analyzer	12.2.0.1	Yes
Application	oracle	trace_file_analyzer	18c	Yes
Application	oracle	trace_file_analyzer	19c	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes
Application	oracle	webcenter_sites	12.2.1.3.0	Yes
Application	oracle	webcenter_sites	12.2.1.4.0	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	netapp	active_iq_unified_manager	≥ 7.3	Yes
Application	netapp	active_iq_unified_manager	≥ 7.3	Yes
Application	netapp	active_iq_unified_manager	≥ 9.5	Yes
Application	netapp	oncommand_api_services	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	netapp	service_level_manager	-	Yes
Application	netapp	steelstore_cloud_integrated_storage	-	Yes

References

https://access.redhat.com/errata/RHSA-2020:0159 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0160 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0161 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0164 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0445 Third Party Advisory ([email protected])
https://github.com/FasterXML/jackson-databind/issues/2478 Patch, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/ ([email protected])
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 ([email protected])
https://seclists.org/bugtraq/2019/Oct/6 Issue Tracking, Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20191017-0006/ Third Party Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4542 Mailing List, Third Party Advisory ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Patch, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0159 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2020:0160 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2020:0161 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2020:0164 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2020:0445 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/FasterXML/jackson-databind/issues/2478 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/ (af854a3a-2127-422b-91ae-364da2661108)
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Oct/6 Issue Tracking, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20191017-0006/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4542 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)