CVE-2019-20330: Critical severity fasterxml jackson-databind vulnerability
Published Jan 2, 2020
·Updated
FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Other sources
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Affected Software
73 affected componentsFixes available
redhat/candlepin<0:2.6.16-1.el7
0:2.6.16-1.el7
redhat/foreman<0:1.22.0.39-2.el7
0:1.22.0.39-2.el7
redhat/satellite<0:6.6.3-1.el7
0:6.6.3-1.el7
redhat/tfm-rubygem-fog-ovirt<0:1.2.3-1.el7
0:1.2.3-1.el7
redhat/tfm-rubygem-katello<0:3.12.0.41-1.el7
0:3.12.0.41-1.el7
redhat/tfm-rubygem-runcible<0:2.13.0-1.el7
0:2.13.0-1.el7
redhat/candlepin<0:2.9.28-1.el7
0:2.9.28-1.el7
redhat/foreman<0:1.24.1.24-1.el7
0:1.24.1.24-1.el7
redhat/foreman-installer<1:1.24.1.21-1.el7
1:1.24.1.21-1.el7
redhat/pulp-rpm<0:2.21.0.6-1.el7
0:2.21.0.6-1.el7
redhat/satellite<0:6.7.2-1.el7
0:6.7.2-1.el7
redhat/tfm-rubygem-fog-vsphere<0:3.2.1.1-1.el7
0:3.2.1.1-1.el7
redhat/tfm-rubygem-foreman-tasks<0:0.17.5.6-1.el7
0:0.17.5.6-1.el7
redhat/tfm-rubygem-katello<0:3.14.0.25-1.el7
0:3.14.0.25-1.el7
maven/com.fasterxml.jackson.core:jackson-databind>=2.0.0<=2.6.7.3
2.6.7.4
maven/com.fasterxml.jackson.core:jackson-databind>=2.9.0<=2.9.10.1
2.9.10.2
maven/com.fasterxml.jackson.core:jackson-databind>=2.8.0<=2.8.11.4
2.8.11.5
maven/com.fasterxml.jackson.core:jackson-databind>=2.7.0<=2.7.9.6
2.7.9.7
fasterxml jackson-databind>=2.0.0<2.7.9.7
fasterxml jackson-databind>=2.8.0<2.8.11.5
fasterxml jackson-databind>=2.9.0<2.9.10.2
Oracle Banking Platform>=2.4.0<=2.9.0
Oracle Communications Billing and Revenue Management=7.5.0.23.0
Oracle Communications Billing and Revenue Management=12.0.0.3.0
Oracle Communications Cloud Native Core Network Slice Selection Function=1.2.1
Oracle Communications Contacts Server=8.0.0.4.0
Oracle Communications Evolved Communications Application Server=7.1
Oracle Communications Instant Messaging Server=10.0.1.4.0
Oracle Communications Network Charging And Control>=12.0.0<=12.0.3
Oracle Communications Network Charging And Control=6.0.1
Oracle Customer Management And Segmentation Foundation=18.0
Oracle Enterprise Manager Base Platform=13.3.0.0
Oracle Enterprise Manager Base Platform=13.4.0.0
Oracle Global Lifecycle Management Opatch<11.2.0.3.23
Oracle Global Lifecycle Management Opatch>=12.2.0.1.0<12.2.0.1.19
Oracle Global Lifecycle Management Opatch>=13.9.4.0.0<13.9.4.2.1
Oracle Goldengate Application Adapters=19.1.0.0.0
Oracle Goldengate Stream Analytics<19.1.0.0.1
Oracle JD Edwards EnterpriseOne Orchestrator<9.2.4.2
Oracle JD Edwards EnterpriseOne Tools<9.2.4.2
Oracle Primavera Unifier>=17.7<=17.12
Oracle Primavera Unifier=16.1
Oracle Primavera Unifier=16.2
Oracle Primavera Unifier=18.8
Oracle Primavera Unifier=19.12
Oracle Retail Merchandising System=15.0.3
Oracle Retail Merchandising System=16.0.2
Oracle Retail Merchandising System=16.0.3
Oracle Retail Sales Audit=14.1
Oracle Retail Xstore Point of Service=15.0
Oracle Retail Xstore Point of Service=16.0
Oracle Retail Xstore Point of Service=17.0
Oracle Retail Xstore Point of Service=18.0
Oracle Retail Xstore Point of Service=19.0
Oracle Siebel Engineering - Installer \& Deployment<=2.20.5
Oracle Siebel UI Framework<=20.5
Oracle Trace File Analyzer=12.2.0.1
Oracle Trace File Analyzer=18c
Oracle Trace File Analyzer=19c
Oracle WebCenter Portal=12.2.1.3.0
Oracle WebCenter Portal=12.2.1.4.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Debian Debian Linux=8.0
NetApp Active Iq Unified Manager Linux>=7.3
NetApp Active Iq Unified Manager Windows>=7.3
NetApp Active Iq Unified Manager Vmware Vsphere>=9.5
NetApp OnCommand API Services
NetApp Service Level Manager
NetApp Snapcenter
NetApp Steelstore Cloud Integrated Storage
redhat/jackson-databind<2.9.10.2
2.9.10.2
IBM InfoSphere Data Architect<=9.2.1
Remediation
Patch Available
Patch Available
Patch Available
Information
The following conditions are needed for an exploit, we recommend avoiding all if possible:
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
Event History
Jan 2, 2020
CVE Published
12:00 AM
Jan 3, 2020
CVE Published
via MITRE·03:35 AM
Data Sourced
via MITRE·03:35 AM
Description
Jan 20, 2020
Data Sourced
via Red Hat·08:02 PM
DescriptionSeverityAffected Software
Mar 4, 2020
Advisory Published
via GitHub·08:52 PM
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
1
What is the severity of CVE-2019-20330?
The severity of CVE-2019-20330 is considered to be unknown due to insufficient details about its impact and attack vector.
2
How do I fix CVE-2019-20330?
To fix CVE-2019-20330, update to the recommended versions of FasterXML jackson-databind as specified in the software's documentation.
3
What software is affected by CVE-2019-20330?
CVE-2019-20330 affects various versions of FasterXML jackson-databind, including 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, and so on.
4
Is there a specific version to upgrade to for CVE-2019-20330?
Yes, you should upgrade to the specified fixed versions, such as jackson-databind 2.9.10.2 or others depending on your current version.
5
What are the implications of CVE-2019-20330 for my applications?
While the exact implications of CVE-2019-20330 are not well documented, it is advisable to apply patches to mitigate any risks associated with the vulnerability.