CVE-2019-14439: Polymorphic Typing issue vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2019-14439 About?

This vulnerability is a Polymorphic Typing issue in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. It occurs when Default Typing is enabled and the logback jar is in the classpath, allowing for potential remote code execution via deserialization. Exploitation requires careful crafting of JSON payloads and specific environmental conditions.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9.2
- <2.6.7.3
- >2.8.0, <2.8.11.4
- >2.7.0, <2.7.9.6

Technical Details

A Polymorphic Typing issue exists in FasterXML jackson-databind affecting versions 2.x prior to 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This vulnerability is present when Default Typing is enabled globally or for a specific property within an externally exposed JSON endpoint. The specific interaction occurs when the 'logback' jar is also present in the application's classpath. An attacker can craft a malicious JSON payload that leverages the deserialization of untrusted data by Jackson-databind. The payload would include type information intended to instantiate a class from the 'logback' library which, when deserialized with Default Typing enabled, could trigger a gadget chain leading to arbitrary code execution or other security impacts. This allows the attacker to control object instantiation and method calls through the deserialization process.

What is the Impact of CVE-2019-14439?

Successful exploitation may allow attackers to execute arbitrary code on the server, leading to potential complete system compromise, data exfiltration, or denial of service.

What is the Exploitability of CVE-2019-14439?

Exploitation requires Default Typing to be enabled in Jackson-databind and the 'logback' jar to be present in the classpath. The complexity is moderate, as it requires knowledge of deserialization gadgets and the ability to craft a specific JSON payload. No authentication or specific privileges are typically required if the application has an exposed endpoint that deserializes untrusted input. This is a remote attack. The primary constraint is the specific combination of application configuration and dependencies. The likelihood of exploitation increases if an application is configured to perform polymorphic deserialization of untrusted JSON data and has the vulnerable 'logback' version in its classpath.

What are the Known Public Exploits?

PoC Author	Link	Commentary
jas502n	Link	Jackson-databind RCE

What are the Available Fixes for CVE-2019-14439?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch adds specific classes (from EHCache and Logback) to a blacklist that prevents dangerous deserialization via Jackson's SubTypeValidator, blocking their usage as polymorphic types. This mitigation fixes CVE-2019-14439 by preventing attackers from exploiting these classes to perform remote code execution or unsafe operations during deserialization.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- <2.6.7.3 → Upgrade to 2.6.7.3
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.6 → Upgrade to 2.7.9.6
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.4 → Upgrade to 2.8.11.4
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9.2 → Upgrade to 2.9.9.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-14439?

Similar Vulnerabilities: CVE-2019-16943 , CVE-2019-12814 , CVE-2019-16335 , CVE-2019-14540 , CVE-2017-7525

CVE-2019-14439 Polymorphic Typing issue vulnerability in com.fasterxml.jackson.core:jackson-databind