CVE-2019-14439: Infoleak

Q: What is the severity of CVE-2019-14439?

CVE-2019-14439 has a moderate severity rating due to potential security risks related to polymorphic typing in certain configurations of the Jackson-databind library.

Q: How do I fix CVE-2019-14439?

To fix CVE-2019-14439, update jackson-databind to version 2.9.9.2, 2.8.11.4, 2.7.9.6, or 2.6.7.3 or higher.

Q: What software is affected by CVE-2019-14439?

CVE-2019-14439 affects multiple versions of the FasterXML jackson-databind library across various applications, including those provided by Debian and IBM.

Q: What types of attacks does CVE-2019-14439 enable?

CVE-2019-14439 allows attackers to exploit polymorphic typing issues, potentially leading to remote code execution on systems with vulnerable configurations.

Q: Is it safe to use default typing in JSON endpoints after CVE-2019-14439?

Using default typing in JSON endpoints can be risky after CVE-2019-14439; it is advisable to avoid or limit its use unless the library is updated.

Published Jul 30, 2019

Updated

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Other sources

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Affected Software

55 affected componentsFixes available

debian/jackson-databind

2.9.8-3+deb10u32.9.8-3+deb10u52.12.1-1+deb11u12.14.0-1

maven/com.fasterxml.jackson.core:jackson-databind>=2.8.0<2.8.11.4

2.8.11.4

maven/com.fasterxml.jackson.core:jackson-databind<2.6.7.3

2.6.7.3

maven/com.fasterxml.jackson.core:jackson-databind>=2.7.0<2.7.9.6

2.7.9.6

maven/com.fasterxml.jackson.core:jackson-databind>=2.9.0<2.9.9.2

2.9.9.2

fasterxml jackson-databind>=2.0.0<2.6.7.3

fasterxml jackson-databind>=2.7.0<2.7.9.6

fasterxml jackson-databind>=2.8.0<2.8.11.4

fasterxml jackson-databind>=2.9.0<2.9.9.2

Debian Debian Linux=8.0

Debian Debian Linux=9.0

Debian Debian Linux=10.0

Fedoraproject Fedora=29

Fedoraproject Fedora=30

Apache Drill=1.16.0

redhat Jboss Middleware Text-only Advisories Middleware=1.0

Oracle Banking Platform=2.4.0

Oracle Banking Platform=2.4.1

Oracle Banking Platform=2.5.0

Oracle Banking Platform=2.6.0

Oracle Banking Platform=2.6.1

Oracle Banking Platform=2.7.0

Oracle Banking Platform=2.7.1

Oracle Communications Diameter Signaling Router=8.0.0

Oracle Communications Diameter Signaling Router=8.1

Oracle Communications Diameter Signaling Router=8.2

Oracle Communications Diameter Signaling Router=8.2.1

Oracle Communications Instant Messaging Server=10.0.1.3.0

Oracle Financial Services Analytical Applications Infrastructure>=8.0.2<=8.0.8

Oracle Global Lifecycle Management Opatch<11.2.0.3.23

Oracle Global Lifecycle Management Opatch>=12.2.0.1.0<12.2.0.1.19

Oracle Global Lifecycle Management Opatch>=13.9.4.0.0<13.9.4.2.1

Oracle Global Lifecycle Management Opatch=11.2.0.3.23

Oracle Global Lifecycle Management Opatch=13.9.4.2.1

Oracle Goldengate Stream Analytics<19.1.0.0.1

Oracle JD Edwards EnterpriseOne Orchestrator=9.2

Oracle JD Edwards EnterpriseOne Tools=9.2

Oracle Primavera Gateway>=17.7<=17.12

Oracle Primavera Gateway=15.2

Oracle Primavera Gateway=16.1

Oracle Primavera Gateway=16.2

Oracle Primavera Gateway=18.8.0

Oracle Retail Customer Management and Segmentation Foundation=17.0

Oracle Retail Xstore Point of Service=7.1

Oracle Retail Xstore Point of Service=15.0

Oracle Retail Xstore Point of Service=16.0

Oracle Retail Xstore Point of Service=17.0

Oracle Retail Xstore Point of Service=18.0

Oracle Siebel Engineering - Installer \& Deployment<=19.8

Oracle Siebel UI Framework<=19.10

redhat/jackson-databind<2.9.10

2.9.10

redhat/jackson-databind<2.8.11.4

2.8.11.4

redhat/jackson-databind<2.7.9.6

2.7.9.6

redhat/jackson-databind<2.6.7.3

2.6.7.3

IBM InfoSphere Data Architect<=9.2.1

Remediation

Information

The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Event History

Jul 30, 2019

CVE Published

12:00 AM

Data Sourced

12:00 AM

RemedyDescriptionSeverityWeaknessAffected Software

CVE Published

via MITRE·10:49 AM

Data Sourced

via MITRE·10:49 AM

Description

Aug 1, 2019

Advisory Published

07:18 PM

Sep 17, 2019

Data Sourced

via Red Hat·04:34 PM

DescriptionSeverityAffected Software

Mar 4, 2026

Data Sourced

via IBM·12:00 AM

DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is the severity of CVE-2019-14439?

CVE-2019-14439 has a moderate severity rating due to potential security risks related to polymorphic typing in certain configurations of the Jackson-databind library.

How do I fix CVE-2019-14439?

To fix CVE-2019-14439, update jackson-databind to version 2.9.9.2, 2.8.11.4, 2.7.9.6, or 2.6.7.3 or higher.

What software is affected by CVE-2019-14439?

CVE-2019-14439 affects multiple versions of the FasterXML jackson-databind library across various applications, including those provided by Debian and IBM.

What types of attacks does CVE-2019-14439 enable?

CVE-2019-14439 allows attackers to exploit polymorphic typing issues, potentially leading to remote code execution on systems with vulnerable configurations.

Is it safe to use default typing in JSON endpoints after CVE-2019-14439?

Using default typing in JSON endpoints can be risky after CVE-2019-14439; it is advisable to avoid or limit its use unless the library is updated.

CVE-2019-14439: Infoleak

Other sources

Affected Software

Remediation

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Information

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2019-14439?

How do I fix CVE-2019-14439?

What software is affected by CVE-2019-14439?

What types of attacks does CVE-2019-14439 enable?

Is it safe to use default typing in JSON endpoints after CVE-2019-14439?

Company

Resources

Contact