CVE-2019-14540
Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2019-14540 About?
This vulnerability is a Polymorphic Typing issue affecting FasterXML jackson-databind versions before 2.9.10, 2.8.11.5, and 2.6.7.3, specifically related to `com.zaxxer.hikari.HikariConfig`. It signifies a deserialization flaw that can lead to remote code execution. Exploitation requires finding a relevant gadget chain and sending malicious serialized data.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10
- <2.6.7.3
- >2.7.0, <2.8.11.5
Technical Details
The FasterXML jackson-databind library, in the specified vulnerable versions, contains a polymorphic typing deserialization flaw. The issue stems from incomplete blocking of certain classes, specifically `com.zaxxer.hikari.HikariConfig`. An attacker can craft a malicious JSON payload that, when deserialized by an application using the vulnerable jackson-databind version, abuses the `HikariConfig` class as a deserialization gadget. This gadget can then perform arbitrary actions, potentially leading to remote code execution, typically by invoking malicious methods or constructors during object instantiation. The attack vector relies on the application accepting and deserializing untrusted data.
What is the Impact of CVE-2019-14540?
Successful exploitation may allow attackers to achieve arbitrary code execution, denial of service, or unauthorized access to system resources.
What is the Exploitability of CVE-2019-14540?
Exploitation of this polymorphic typing deserialization vulnerability is of moderate complexity. An attacker needs to be able to send specially crafted serialized data (JSON) to an application that incorporates a vulnerable `jackson-databind` version. The presence of the `com.zaxxer.hikari.HikariConfig` class on the application's classpath is a crucial prerequisite, as it acts as the exploitable deserialization gadget. No authentication is typically required if the deserialization entry point is publicly exposed. This is a remote attack. The existence of a proof-of-concept indicates that the methods and prerequisites for exploitation are well-understood, increasing the likelihood of successful attacks if appropriate defenses are not in place.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| LeadroyaL | Link | CVE-2019-14540 Exploit |
What are the Available Fixes for CVE-2019-14540?
About the Fix from Resolved Security
The patch adds HikariCP's HikariConfig and HikariDataSource classes, as well as CXF's XSLTJaxbProvider, to a blocklist used by Jackson's subtype validator to prevent their deserialization. This mitigates deserialization attacks (such as arbitrary code execution or data exfiltration) via unsafe types, thus fixing CVE-2019-14540 by preventing attackers from leveraging these classes during polymorphic deserialization.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.6.7.3 → Upgrade to 2.6.7.3
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.8.11.5 → Upgrade to 2.8.11.5
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10 → Upgrade to 2.9.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:3200
- https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.netapp.com/advisory/ntap-20191004-0002/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-14540?
Similar Vulnerabilities: CVE-2020-11111 , CVE-2019-20330 , CVE-2020-10968 , CVE-2020-11620 , CVE-2017-7525
