CVE-2019-12086
Polymorphic Typing vulnerability in jackson-databind (Maven)
What is CVE-2019-12086 About?
This vulnerability is a Polymorphic Typing issue in FasterXML jackson-databind that can lead to arbitrary local file reading. If Default Typing is enabled, an attacker can leverage a crafted JSON message to exploit this, making it moderately difficult to exploit. The impact is significant, allowing unauthorized access to files on the server.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.3
- >2.9.0, <2.9.9
- >2.8.0, <2.8.11.4
- >2.7.0, <2.7.9.6
Technical Details
The vulnerability arises in FasterXML jackson-databind 2.x before 2.9.9 when Default Typing is enabled, either globally or for a specific property, on an externally exposed JSON endpoint. The critical component is the presence of the mysql-connector-java jar (8.0.14 or earlier) in the classpath. An attacker can host a malicious MySQL server and then send a specially crafted JSON message to the vulnerable service. This message exploits missing validation in com.mysql.cj.jdbc.admin.MiniAdmin, allowing the attacker to read arbitrary local files from the server by leveraging the polymorphic typing mechanism to instantiate a gadget that interacts with the attacker's server to exfiltrate files.
What is the Impact of CVE-2019-12086?
Successful exploitation may allow attackers to gain unauthorized access to sensitive local files on the server, potentially leading to information disclosure, credential compromise, or further system compromise.
What is the Exploitability of CVE-2019-12086?
Exploitation of this vulnerability requires several specific conditions, making its complexity moderate. Prerequisites include Default Typing being enabled on the JSON endpoint, the mysql-connector-java jar (version 8.0.14 or earlier) being present in the classpath, and the attacker being able to host a malicious MySQL server reachable by the victim server. Authenticaton is not explicitly mentioned as a requirement for sending the crafted JSON, suggesting it could be unauthenticated if the endpoint is externally exposed. The attack vector is remote, involving sending a specially crafted JSON message. Risk factors are increased if the application widely uses default typing or if dependency management is lax, allowing vulnerable versions of mysql-connector-java to persist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| motoyasu-saburi | Link | PoC for CVE-2019-12086 |
| Al1ex | Link | jackson unserialize |
What are the Available Fixes for CVE-2019-12086?
About the Fix from Resolved Security
The patch adds the class name "com.mysql.cj.jdbc.admin.MiniAdmin" to a blocklist of classes that Jackson will never deserialize. By blacklisting this class, the patch fixes CVE-2019-12086 by preventing attackers from exploiting unsafe deserialization that could allow remote code execution using this gadget class.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.3 → Upgrade to 2.6.7.3
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.6 → Upgrade to 2.7.9.6
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.4 → Upgrade to 2.8.11.4
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9 → Upgrade to 2.9.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
- https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
What are Similar Vulnerabilities to CVE-2019-12086?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-11113
