Permissions, Privileges, and Access Controls in jackson-databind

#VU19933 Permissions, Privileges, and Access Controls in jackson-databind

Published: 2019-08-05

Vulnerability identifier: #VU19933

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2019-14379

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.9.1, 2.8.0 - 2.8.11.4, 2.7.0 - 2.7.9.6, 2.6.0 - 2.6.8, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5, 2.1.0 - 2.1.4, 2.0.0 - 2.0.4

CPE

cpe:2.3:a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:*

External links
http://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
http://github.com/FasterXML/jackson-databind/issues/2387

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

IBM Log Analysis update for FasterXML jackson-databind

Multiple vulnerabilities in Dell Secure Connect Gateway

Multiple vulnerabilities in z/Transaction Processing Facility

Multiple vulnerabilities in IBM Process Mining

Multiple vulnerabilities in Apple Xcode

Multiple vulnerabilities in Red Hat Openshift Logging

Multiple vulnerabilities in Red Hat OpenShift Container Platform

Multiple vulnerabilities in Oracle Communications Diameter Signaling Router (DSR)

Multiple vulnerabilities in Red Hat Fuse

Multiple vulnerabilities in Oracle Communications Instant Messaging Server