CVE-2019-14379: Remote Code Execution vulnerability in jackson-databind (Maven)

What is CVE-2019-14379 About?

FasterXML jackson-databind versions before 2.9.9.2, 2.8.11.4, and 2.7.9.6 are vulnerable to remote code execution due to mishandling of default typing when ehcache is used. This critical flaw allows attackers to execute arbitrary code by leveraging the `net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup`.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- <2.7.9.6
- >2.9.0, <2.9.9.2
- >2.8.0, <2.8.11.4

Technical Details

The vulnerability in SubTypeValidator.java within FasterXML jackson-databind (before versions 2.9.9.2, 2.8.11.4, and 2.7.9.6) specifically results from improper handling of 'default typing' when the ehcache library is also in use. The presence of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup as a gadget within the classpath allows for abuse during deserialization. An attacker can craft malicious JSON input that, when deserialized with default typing enabled, forces the application to instantiate the vulnerable ehcache class. This leads to arbitrary code execution, as the deserialization process can be manipulated to load and execute attacker-controlled code, effectively bypassing security restrictions.

What is the Impact of CVE-2019-14379?

Successful exploitation may allow attackers to execute arbitrary code on the target system, leading to complete system compromise, unauthorized data access, or denial of service.

What is the Exploitability of CVE-2019-14379?

Exploitation of this vulnerability requires the application to use a vulnerable version of jackson-databind, have default typing enabled, and include the ehcache library in its classpath. The complexity is moderate, involving the creation of a specialized JSON payload and understanding of deserialization gadgets. No authentication is needed if the deserialization endpoint is publicly exposed, making it a remote attack. The attacker needs to identify a public endpoint that deserializes arbitrary JSON with default typing enabled. The presence of the ehcache library and the specific susceptible configuration significantly increase the risk of successful remote code execution.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2019-14379?

A Fix by Resolved Security Exists!

See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

The patch adds specific classes to a blocklist preventing them from being deserialized by Jackson, thereby mitigating deserialization attacks that could lead to arbitrary code execution. This fixes CVE-2019-14379 by stopping attackers from exploiting vulnerable gadget classes like DefaultTransactionManagerLookup and JNDIConnectionSource during polymorphic deserialization.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- <2.7.9.6 → Upgrade to 2.7.9.6
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.4 → Upgrade to 2.8.11.4
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9.2 → Upgrade to 2.9.9.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-14379?

Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-14892 , CVE-2020-17521

CVE-2019-14379 Remote Code Execution vulnerability in jackson-databind (Maven)