CVE-2018-14719
Code Execution vulnerability in jackson-databind (Maven)
What is CVE-2018-14719 About?
This vulnerability in FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code. It leverages a failure to block specific classes (blaze-ds-opt and blaze-ds-core) from polymorphic deserialization. Exploitation can be achieved by crafting a malicious payload that targets these unblocked classes.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7
- >2.0.0, <2.7.9.5
- >2.8.0, <2.8.11.3
Technical Details
The FasterXML jackson-databind library, in its 2.x versions, allows for polymorphic deserialization where the type of an object can be specified in the JSON payload. Vulnerable versions fail to properly blacklist all potentially dangerous gadget classes. Specifically, the blaze-ds-opt and blaze-ds-core classes are not blocked. An attacker can craft a malicious JSON payload that instructs jackson-databind to deserialize an object of one of these unblocked types, potentially leveraging methods or constructors within those classes to execute arbitrary code on the server where the deserialization occurs. This is a common deserialization vulnerability pattern, where the attacker controls the object graph being reconstructed.
What is the Impact of CVE-2018-14719?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2018-14719?
Exploitation requires the attacker to send a specially crafted JSON payload to an application endpoint that performs polymorphic deserialization using vulnerable versions of jackson-databind. The complexity is moderate, as it requires knowledge of the application's classpath and suitable 'gadget' classes within blaze-ds-opt or blaze-ds-core to achieve code execution. Authentication might not be required if the deserialization endpoint is publicly exposed, but it could also be an authenticated function. No specific privileges are needed beyond the ability to submit the malicious JSON. This is a remote vulnerability, and its likelihood is increased if the application processes untrusted, user-supplied JSON data with polymorphic type handling enabled and the vulnerable classes are present on the classpath.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-14719?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.7.9.5 → Upgrade to 2.7.9.5
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.3 → Upgrade to 2.8.11.3
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://access.redhat.com/errata/RHSA-2019:3140
- https://access.redhat.com/errata/RHSA-2019:3149
- https://nvd.nist.gov/vuln/detail/CVE-2018-14719
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2019/dsa-4452
- https://access.redhat.com/errata/RHSA-2019:1822
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://access.redhat.com/errata/RHSA-2019:3140
What are Similar Vulnerabilities to CVE-2018-14719?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2017-17485 , CVE-2018-7489 , CVE-2018-19361
