CVE-2019-10202
Deserialization Vulnerabilities vulnerability in jackson-mapper-asl (Maven)
What is CVE-2019-10202 About?
This vulnerability addresses a series of deserialization flaws in Codehaus 1.9.x within EAP 7 by implementing a whitelist approach. Successful exploitation could lead to arbitrary code execution or information disclosure. Exploitation difficulty can vary depending on the specific deserialization gadget available, but the whitelist approach aims to make it harder to exploit.
Affected Software
Technical Details
The vulnerability involves a series of deserialization flaws in Codehaus 1.9.x, specifically within jackson-databind libraries, that allow an attacker to craft malicious serialized objects. When these objects are deserialized by the application, they can trigger unintended behavior, such as arbitrary code execution. The fix introduced a whitelist approach, meaning that only explicitly allowed classes can be deserialized, thereby mitigating the risk posed by unexpected or malicious object types in the deserialization process. This directly addresses past vulnerabilities like CVE-2017-17485 and similar issues by restricting the gadgets usable by an attacker during deserialization.
What is the Impact of CVE-2019-10202?
Successful exploitation may allow attackers to execute arbitrary code, bypass security restrictions, or cause denial of service.
What is the Exploitability of CVE-2019-10202?
Exploitation of deserialization vulnerabilities typically requires the attacker to have the ability to submit specially crafted serialized data to an application endpoint. The complexity can range from medium to high, depending on the available deserialization gadgets and the specific implementation details of the affected application. Authentication may or may not be required, depending on whether the vulnerable endpoint is exposed before or after authentication. Privilege requirements are usually low, as the initial injection often doesn't require elevated privileges. This is typically a remote attack, but specific conditions might require local access in certain scenarios. The presence of known deserialization gadgets in the classpath significantly increases the likelihood and ease of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10202?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E
- https://osv.dev/vulnerability/GHSA-c27h-mcmw-48hv
- https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9%40%3Cissues.flume.apache.org%3E
- https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9%40%3Cissues.flume.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-10202?
Similar Vulnerabilities: CVE-2017-17485 , CVE-2017-7525 , CVE-2017-15095 , CVE-2018-5968 , CVE-2018-7489
