CVE-2019-12384

Published Jun 19, 2019
·
Updated

A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.

Affected Software

117 affected componentsFixes available
redhat/eap7-activemq-artemis<0:2.9.0-1.redhat_00005.1.el6ea
0:2.9.0-1.redhat_00005.1.el6ea
redhat/eap7-codehaus-jackson<0:1.9.13-9.redhat_00006.1.el6ea
0:1.9.13-9.redhat_00006.1.el6ea
redhat/eap7-glassfish-jsf<0:2.3.5-4.SP3_redhat_00002.1.el6ea
0:2.3.5-4.SP3_redhat_00002.1.el6ea
redhat/eap7-hal-console<0:3.0.16-1.Final_redhat_00001.1.el6ea
0:3.0.16-1.Final_redhat_00001.1.el6ea
redhat/eap7-hibernate<0:5.3.11-2.SP1_redhat_00001.1.el6ea
0:5.3.11-2.SP1_redhat_00001.1.el6ea
redhat/eap7-infinispan<0:9.3.7-1.Final_redhat_00001.1.el6ea
0:9.3.7-1.Final_redhat_00001.1.el6ea
redhat/eap7-ironjacamar<0:1.4.17-1.Final_redhat_00001.1.el6ea
0:1.4.17-1.Final_redhat_00001.1.el6ea
redhat/eap7-jackson-annotations<0:2.9.9-1.redhat_00001.1.el6ea
0:2.9.9-1.redhat_00001.1.el6ea
redhat/eap7-jackson-core<0:2.9.9-1.redhat_00001.1.el6ea
0:2.9.9-1.redhat_00001.1.el6ea
redhat/eap7-jackson-databind<0:2.9.9.3-1.redhat_00001.1.el6ea
0:2.9.9.3-1.redhat_00001.1.el6ea
redhat/eap7-jackson-jaxrs-providers<0:2.9.9-2.redhat_00001.1.el6ea
0:2.9.9-2.redhat_00001.1.el6ea
redhat/eap7-jackson-modules-base<0:2.9.9-1.redhat_00001.1.el6ea
0:2.9.9-1.redhat_00001.1.el6ea
redhat/eap7-jackson-modules-java8<0:2.9.9-1.redhat_00001.1.el6ea
0:2.9.9-1.redhat_00001.1.el6ea
redhat/eap7-jboss-ejb-client<0:4.0.23-1.Final_redhat_00001.1.el6ea
0:4.0.23-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-logging<0:3.3.3-1.Final_redhat_00001.1.el6ea
0:3.3.3-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-logmanager<0:2.1.14-1.Final_redhat_00001.1.el6ea
0:2.1.14-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-marshalling<0:2.0.9-1.Final_redhat_00001.1.el6ea
0:2.0.9-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-msc<0:1.4.8-1.Final_redhat_00001.1.el6ea
0:1.4.8-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-remoting<0:5.0.14-1.SP1_redhat_00001.1.el6ea
0:5.0.14-1.SP1_redhat_00001.1.el6ea
redhat/eap7-jboss-server-migration<0:1.3.1-4.Final_redhat_00004.1.el6ea
0:1.3.1-4.Final_redhat_00004.1.el6ea
redhat/eap7-jboss-xnio-base<0:3.7.3-1.Final_redhat_00001.1.el6ea
0:3.7.3-1.Final_redhat_00001.1.el6ea
redhat/eap7-jgroups<0:4.0.20-1.Final_redhat_00001.1.el6ea
0:4.0.20-1.Final_redhat_00001.1.el6ea
redhat/eap7-narayana<0:5.9.6-1.Final_redhat_00001.1.el6ea
0:5.9.6-1.Final_redhat_00001.1.el6ea
redhat/eap7-netty<0:4.1.34-2.Final_redhat_00002.1.el6ea
0:4.1.34-2.Final_redhat_00002.1.el6ea
redhat/eap7-picketbox<0:5.0.3-5.Final_redhat_00004.1.el6ea
0:5.0.3-5.Final_redhat_00004.1.el6ea
redhat/eap7-picketlink-bindings<0:2.5.5-20.SP12_redhat_00007.1.el6ea
0:2.5.5-20.SP12_redhat_00007.1.el6ea
redhat/eap7-picketlink-federation<0:2.5.5-20.SP12_redhat_00007.1.el6ea
0:2.5.5-20.SP12_redhat_00007.1.el6ea
redhat/eap7-undertow<0:2.0.25-1.SP1_redhat_00001.1.el6ea
0:2.0.25-1.SP1_redhat_00001.1.el6ea
redhat/eap7-weld-core<0:3.0.6-2.Final_redhat_00002.1.el6ea
0:3.0.6-2.Final_redhat_00002.1.el6ea
redhat/eap7-wildfly<0:7.2.4-1.GA_redhat_00002.1.el6ea
0:7.2.4-1.GA_redhat_00002.1.el6ea
redhat/eap7-wildfly-elytron<0:1.6.4-1.Final_redhat_00001.1.el6ea
0:1.6.4-1.Final_redhat_00001.1.el6ea
redhat/eap7-wildfly-elytron-tool<0:1.4.3-1.Final_redhat_00001.1.el6ea
0:1.4.3-1.Final_redhat_00001.1.el6ea
redhat/eap7-wildfly-transaction-client<0:1.1.6-2.Final_redhat_00001.1.el6ea
0:1.1.6-2.Final_redhat_00001.1.el6ea
redhat/eap7-activemq-artemis<0:2.9.0-1.redhat_00005.1.el7ea
0:2.9.0-1.redhat_00005.1.el7ea
redhat/eap7-codehaus-jackson<0:1.9.13-9.redhat_00006.1.el7ea
0:1.9.13-9.redhat_00006.1.el7ea
redhat/eap7-glassfish-jsf<0:2.3.5-4.SP3_redhat_00002.1.el7ea
0:2.3.5-4.SP3_redhat_00002.1.el7ea
redhat/eap7-hal-console<0:3.0.16-1.Final_redhat_00001.1.el7ea
0:3.0.16-1.Final_redhat_00001.1.el7ea
redhat/eap7-hibernate<0:5.3.11-2.SP1_redhat_00001.1.el7ea
0:5.3.11-2.SP1_redhat_00001.1.el7ea
redhat/eap7-infinispan<0:9.3.7-1.Final_redhat_00001.1.el7ea
0:9.3.7-1.Final_redhat_00001.1.el7ea
redhat/eap7-ironjacamar<0:1.4.17-1.Final_redhat_00001.1.el7ea
0:1.4.17-1.Final_redhat_00001.1.el7ea
redhat/eap7-jackson-annotations<0:2.9.9-1.redhat_00001.1.el7ea
0:2.9.9-1.redhat_00001.1.el7ea
redhat/eap7-jackson-core<0:2.9.9-1.redhat_00001.1.el7ea
0:2.9.9-1.redhat_00001.1.el7ea
redhat/eap7-jackson-databind<0:2.9.9.3-1.redhat_00001.1.el7ea
0:2.9.9.3-1.redhat_00001.1.el7ea
redhat/eap7-jackson-jaxrs-providers<0:2.9.9-2.redhat_00001.1.el7ea
0:2.9.9-2.redhat_00001.1.el7ea
redhat/eap7-jackson-modules-base<0:2.9.9-1.redhat_00001.1.el7ea
0:2.9.9-1.redhat_00001.1.el7ea
redhat/eap7-jackson-modules-java8<0:2.9.9-1.redhat_00001.1.el7ea
0:2.9.9-1.redhat_00001.1.el7ea
redhat/eap7-jboss-ejb-client<0:4.0.23-1.Final_redhat_00001.1.el7ea
0:4.0.23-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-logging<0:3.3.3-1.Final_redhat_00001.1.el7ea
0:3.3.3-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-logmanager<0:2.1.14-1.Final_redhat_00001.1.el7ea
0:2.1.14-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-marshalling<0:2.0.9-1.Final_redhat_00001.1.el7ea
0:2.0.9-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-msc<0:1.4.8-1.Final_redhat_00001.1.el7ea
0:1.4.8-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-remoting<0:5.0.14-1.SP1_redhat_00001.1.el7ea
0:5.0.14-1.SP1_redhat_00001.1.el7ea
redhat/eap7-jboss-server-migration<0:1.3.1-4.Final_redhat_00004.1.el7ea
0:1.3.1-4.Final_redhat_00004.1.el7ea
redhat/eap7-jboss-xnio-base<0:3.7.3-1.Final_redhat_00001.1.el7ea
0:3.7.3-1.Final_redhat_00001.1.el7ea
redhat/eap7-jgroups<0:4.0.20-1.Final_redhat_00001.1.el7ea
0:4.0.20-1.Final_redhat_00001.1.el7ea
redhat/eap7-narayana<0:5.9.6-1.Final_redhat_00001.1.el7ea
0:5.9.6-1.Final_redhat_00001.1.el7ea
redhat/eap7-netty<0:4.1.34-2.Final_redhat_00002.1.el7ea
0:4.1.34-2.Final_redhat_00002.1.el7ea
redhat/eap7-picketbox<0:5.0.3-5.Final_redhat_00004.1.el7ea
0:5.0.3-5.Final_redhat_00004.1.el7ea
redhat/eap7-picketlink-bindings<0:2.5.5-20.SP12_redhat_00007.1.el7ea
0:2.5.5-20.SP12_redhat_00007.1.el7ea
redhat/eap7-picketlink-federation<0:2.5.5-20.SP12_redhat_00007.1.el7ea
0:2.5.5-20.SP12_redhat_00007.1.el7ea
redhat/eap7-undertow<0:2.0.25-1.SP1_redhat_00001.1.el7ea
0:2.0.25-1.SP1_redhat_00001.1.el7ea
redhat/eap7-weld-core<0:3.0.6-2.Final_redhat_00002.1.el7ea
0:3.0.6-2.Final_redhat_00002.1.el7ea
redhat/eap7-wildfly<0:7.2.4-1.GA_redhat_00002.1.el7ea
0:7.2.4-1.GA_redhat_00002.1.el7ea
redhat/eap7-wildfly-elytron<0:1.6.4-1.Final_redhat_00001.1.el7ea
0:1.6.4-1.Final_redhat_00001.1.el7ea
redhat/eap7-wildfly-elytron-tool<0:1.4.3-1.Final_redhat_00001.1.el7ea
0:1.4.3-1.Final_redhat_00001.1.el7ea
redhat/eap7-wildfly-transaction-client<0:1.1.6-2.Final_redhat_00001.1.el7ea
0:1.1.6-2.Final_redhat_00001.1.el7ea
redhat/eap7-activemq-artemis<0:2.9.0-1.redhat_00005.1.el8ea
0:2.9.0-1.redhat_00005.1.el8ea
redhat/eap7-codehaus-jackson<0:1.9.13-9.redhat_00006.1.el8ea
0:1.9.13-9.redhat_00006.1.el8ea
redhat/eap7-glassfish-jsf<0:2.3.5-4.SP3_redhat_00002.1.el8ea
0:2.3.5-4.SP3_redhat_00002.1.el8ea
redhat/eap7-hal-console<0:3.0.16-1.Final_redhat_00001.1.el8ea
0:3.0.16-1.Final_redhat_00001.1.el8ea
redhat/eap7-hibernate<0:5.3.11-2.SP1_redhat_00001.1.el8ea
0:5.3.11-2.SP1_redhat_00001.1.el8ea
redhat/eap7-infinispan<0:9.3.7-1.Final_redhat_00001.1.el8ea
0:9.3.7-1.Final_redhat_00001.1.el8ea
redhat/eap7-ironjacamar<0:1.4.17-1.Final_redhat_00001.1.el8ea
0:1.4.17-1.Final_redhat_00001.1.el8ea
redhat/eap7-jackson-annotations<0:2.9.9-1.redhat_00001.1.el8ea
0:2.9.9-1.redhat_00001.1.el8ea
redhat/eap7-jackson-core<0:2.9.9-1.redhat_00001.1.el8ea
0:2.9.9-1.redhat_00001.1.el8ea
redhat/eap7-jackson-databind<0:2.9.9.3-1.redhat_00001.1.el8ea
0:2.9.9.3-1.redhat_00001.1.el8ea
redhat/eap7-jackson-jaxrs-providers<0:2.9.9-2.redhat_00001.1.el8ea
0:2.9.9-2.redhat_00001.1.el8ea
redhat/eap7-jackson-modules-base<0:2.9.9-1.redhat_00001.1.el8ea
0:2.9.9-1.redhat_00001.1.el8ea
redhat/eap7-jackson-modules-java8<0:2.9.9-1.redhat_00001.1.el8ea
0:2.9.9-1.redhat_00001.1.el8ea
redhat/eap7-jboss-ejb-client<0:4.0.23-1.Final_redhat_00001.1.el8ea
0:4.0.23-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-logging<0:3.3.3-1.Final_redhat_00001.1.el8ea
0:3.3.3-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-logmanager<0:2.1.14-1.Final_redhat_00001.1.el8ea
0:2.1.14-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-marshalling<0:2.0.9-1.Final_redhat_00001.1.el8ea
0:2.0.9-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-msc<0:1.4.8-1.Final_redhat_00001.1.el8ea
0:1.4.8-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-remoting<0:5.0.14-1.SP1_redhat_00001.1.el8ea
0:5.0.14-1.SP1_redhat_00001.1.el8ea
redhat/eap7-jboss-server-migration<0:1.3.1-4.Final_redhat_00004.1.el8ea
0:1.3.1-4.Final_redhat_00004.1.el8ea
redhat/eap7-jboss-xnio-base<0:3.7.3-1.Final_redhat_00001.1.el8ea
0:3.7.3-1.Final_redhat_00001.1.el8ea
redhat/eap7-jgroups<0:4.0.20-1.Final_redhat_00001.1.el8ea
0:4.0.20-1.Final_redhat_00001.1.el8ea
redhat/eap7-narayana<0:5.9.6-1.Final_redhat_00001.1.el8ea
0:5.9.6-1.Final_redhat_00001.1.el8ea
redhat/eap7-netty<0:4.1.34-2.Final_redhat_00002.1.el8ea
0:4.1.34-2.Final_redhat_00002.1.el8ea
redhat/eap7-picketbox<0:5.0.3-5.Final_redhat_00004.1.el8ea
0:5.0.3-5.Final_redhat_00004.1.el8ea
redhat/eap7-picketlink-bindings<0:2.5.5-20.SP12_redhat_00007.1.el8ea
0:2.5.5-20.SP12_redhat_00007.1.el8ea
redhat/eap7-picketlink-federation<0:2.5.5-20.SP12_redhat_00007.1.el8ea
0:2.5.5-20.SP12_redhat_00007.1.el8ea
redhat/eap7-undertow<0:2.0.25-1.SP1_redhat_00001.1.el8ea
0:2.0.25-1.SP1_redhat_00001.1.el8ea
redhat/eap7-weld-core<0:3.0.6-2.Final_redhat_00002.1.el8ea
0:3.0.6-2.Final_redhat_00002.1.el8ea
redhat/eap7-wildfly<0:7.2.4-1.GA_redhat_00002.1.el8ea
0:7.2.4-1.GA_redhat_00002.1.el8ea
redhat/eap7-wildfly-elytron<0:1.6.4-1.Final_redhat_00001.1.el8ea
0:1.6.4-1.Final_redhat_00001.1.el8ea
redhat/eap7-wildfly-elytron-tool<0:1.4.3-1.Final_redhat_00001.1.el8ea
0:1.4.3-1.Final_redhat_00001.1.el8ea
redhat/eap7-wildfly-transaction-client<0:1.1.6-2.Final_redhat_00001.1.el8ea
0:1.1.6-2.Final_redhat_00001.1.el8ea
redhat/rh-maven35-jackson-databind<0:2.7.6-2.6.el7
0:2.7.6-2.6.el7
debian/jackson-databind
2.9.8-3+deb10u32.9.8-3+deb10u52.12.1-1+deb11u12.14.0-1
maven/com.fasterxml.jackson.core:jackson-databind>=2.0.0<2.6.7.3
2.6.7.3
maven/com.fasterxml.jackson.core:jackson-databind>=2.7.0<2.7.9.6
2.7.9.6
maven/com.fasterxml.jackson.core:jackson-databind>=2.8.0<2.8.11.4
2.8.11.4
maven/com.fasterxml.jackson.core:jackson-databind>=2.9.0<2.9.9.1
2.9.9.1
fasterxml jackson-databind>=2.0.0<2.6.7.3
fasterxml jackson-databind>=2.7.0<2.7.9.6
fasterxml jackson-databind>=2.8.0<2.8.11.4
fasterxml jackson-databind>=2.9.0<2.9.9.1
Debian Debian Linux=8.0
redhat Enterprise Linux=7.0
redhat Enterprise Linux=7.4
redhat Enterprise Linux=7.5
redhat Enterprise Linux=7.6
redhat Enterprise Linux=7.7
redhat/jackson-databind<2.9.9.1
2.9.9.1
IBM InfoSphere Data Architect<=9.2.1

Remediation

Patch Available

https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Information

The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Event History

Jun 19, 2019
Data Sourced
08:27 PM
SeverityAffected Software
Jun 21, 2019
CVE Published
12:00 AM
Jun 24, 2019
CVE Published
via MITRE·03:34 PM
Data Sourced
via MITRE·03:34 PM
Description
Jul 1, 2019
Data Sourced
via Red Hat·01:33 PM
DescriptionSeverityAffected Software
Jul 5, 2019
Advisory Published
via GitHub·09:07 PM
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2019-12384?

The severity of CVE-2019-12384 is considered critical due to the potential for remote code execution.

2

How do I fix CVE-2019-12384?

To fix CVE-2019-12384, upgrade to jackosn-databind version 2.9.9.1 or later.

3

What software versions are affected by CVE-2019-12384?

CVE-2019-12384 affects FasterXML jackson-databind versions prior to 2.9.9.1.

4

Is any action required for CVE-2019-12384?

Yes, it is crucial to patch the affected systems to mitigate the risk associated with CVE-2019-12384.

5

What types of attacks can exploit CVE-2019-12384?

CVE-2019-12384 can be exploited to achieve remote code execution through polymorphic deserialization.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203