CVE-2019-16943

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

References

https://github.com/FasterXML/jackson-databind/issues/2478

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

https://www.debian.org/security/2019/dsa-4542

https://seclists.org/bugtraq/2019/Oct/6

https://lists.fedoraproject.org/archives/list/[email protected]/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

https://security.netapp.com/advisory/ntap-20191017-0006/

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

https://lists.apache.org/thread.html/[email protected]%3Cissues.iceberg.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.iceberg.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.druid.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2020.html

https://access.redhat.com/errata/RHSA-2020:0164

https://access.redhat.com/errata/RHSA-2020:0160

https://access.redhat.com/errata/RHSA-2020:0161

https://access.redhat.com/errata/RHSA-2020:0159

https://access.redhat.com/errata/RHSA-2020:0445

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.geode.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2020.html

Details

Source: MITRE

Published: 2019-10-01

Updated: 2021-07-20

Type: CWE-502

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

Configuration 4

AND

OR

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*

OR

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

Configuration 5

AND

OR

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*

OR

cpe:2.3:o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:trace_file_analyzer:19c:*:*:*:*:*:*:*

cpe:2.3:a:oracle:trace_file_analyzer:18c:*:*:*:*:*:*:*

cpe:2.3:a:oracle:trace_file_analyzer:12.2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment:*:*:*:*:*:*:*:* versions up to 2.20.5 (inclusive)

cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_merchandising_system:16.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 18.8.0 to 18.8.8 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.7 to 17.12.6 (inclusive)

cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_calendar_server:8.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_calendar_server:8.0.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

Tenable Plugins

View all (14 total)

IDNameProductFamilySeverity
146039CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:1644)NessusCentOS Local Security Checks
critical
138528Oracle Database Server Multiple Vulnerabilities (Jul 2020 CPU)NessusDatabases
critical
136041RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)NessusRed Hat Local Security Checks
critical
135850Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2020 CPU)NessusMisc.
critical
135680Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)NessusMisc.
critical
135676Oracle WebCenter Sites Multiple Vulnerabilities (April 2020 CPU)NessusWindows
critical
135584Oracle Primavera Unifier (Apr 2020 CPU)NessusCGI abuses
critical
135583Oracle Primavera Gateway (Apr 2020 CPU)NessusCGI abuses
critical
133158RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 8 (RHSA-2020:0161)NessusRed Hat Local Security Checks
critical
133157RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 7 (RHSA-2020:0160)NessusRed Hat Local Security Checks
critical
133156RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 6 (RHSA-2020:0159)NessusRed Hat Local Security Checks
critical
129833Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)NessusFedora Local Security Checks
critical
129597Debian DSA-4542-1 : jackson-databind - security updateNessusDebian Local Security Checks
critical
129539Debian DLA-1943-1 : jackson-databind security updateNessusDebian Local Security Checks
critical