CVE-2019-16942
CRITICALCVSS 9.8/10EPSS 5.68%
Last modified
CVE-2019-16942 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. EPSS estimates a 5.68% chance of exploitation in the next 30 days.
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | >= 2.0.0, < 2.6.7.3 |
| Fasterxml | Jackson-Databind | >= 2.8.0, < 2.8.11.5 |
| Fasterxml | Jackson-Databind | >= 2.9.0, < 2.9.10.1 |
| Debian | Debian Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 30 |
| Fedoraproject | Fedora | 31 |
| Redhat | Jboss Enterprise Application Platform | 7.2.0 |
| Redhat | Jboss Enterprise Application Platform | 7.3 |
| Netapp | Active Iq Unified Manager | >= 7.3 |
| Netapp | Active Iq Unified Manager | >= 9.5 |
| Netapp | Oncommand Api Services | All versions |
| Netapp | Oncommand Workflow Automation | All versions |
| Netapp | Service Level Manager | All versions |
| Netapp | Steelstore Cloud Integrated Storage | All versions |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Platform | 2.4.1 |
| Oracle | Banking Platform | 2.5.0 |
| Oracle | Banking Platform | 2.6.0 |
| Oracle | Banking Platform | 2.6.1 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Banking Platform | 2.7.0 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.3.0 |
| Oracle | Communications Calendar Server | 8.0.0.2.0 |
| Oracle | Communications Calendar Server | 8.0.0.3.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Evolved Communications Application Server | 7.1 |
| Oracle | Database Server | 12.2.0.1 |
| Oracle | Database Server | 18c |
| Oracle | Database Server | 19c |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.3.0 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.4.0 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | 13.9.4.2.2 |
| Oracle | Goldengate Application Adapters | 19.1.0.0.0 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.6 |
| Oracle | Primavera Gateway | >= 18.8.0, <= 18.8.8 |
| Oracle | Primavera Gateway | 19.12.0 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Primavera Unifier | 16.1 |
| Oracle | Primavera Unifier | 16.2 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Primavera Unifier | 19.12 |
| Oracle | Retail Merchandising System | 15.0.3 |
| Oracle | Retail Merchandising System | 16.0.2 |
Showing 50 of 61 affected configurations. See NVD for the full list.
References
- https://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/2478Patch, Third Party Advisory
- https://issues.apache.org/jira/browse/GEODE-7255Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/10/msg00001.htmlMailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Oct/6Issue Tracking, Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191017-0006/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4542Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/2478Patch, Third Party Advisory
- https://issues.apache.org/jira/browse/GEODE-7255Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/10/msg00001.htmlMailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Oct/6Issue Tracking, Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191017-0006/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4542Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-16942?
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
How severe is CVE-2019-16942?
CVE-2019-16942 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 5.68% probability of exploitation in the next 30 days.
How do I fix CVE-2019-16942?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2019-16942?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST