CVE-2019-14892: Polymorphic Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2019-14892 About?

Jackson-databind versions before 2.9.10, 2.8.11.5, and 2.6.7.3 contain a flaw that permits polymorphic deserialization using malicious JNDI classes. This critical vulnerability allows an attacker to execute arbitrary code through commons-configuration 1 and 2 JNDI classes.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10
- <2.6.7.3
- >2.7.0, <2.8.11.5

Technical Details

The vulnerability exists in FasterXML jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3. It stems from an insecure polymorphic deserialization mechanism. When default typing is enabled, the `jackson-databind` library allows the specification of types within JSON data, which are then used to instantiate Java objects. This flaw allows an attacker to provide a malicious object type that, when deserialized, leverages JNDI classes from `commons-configuration` (versions 1 and 2). By constructing a specific JSON payload that references these JNDI classes, an attacker can coerce the application into performing a JNDI lookup to an attacker-controlled server, resulting in the loading and execution of arbitrary code on the target system.

What is the Impact of CVE-2019-14892?

Successful exploitation may allow attackers to execute arbitrary code on the target system, leading to complete system compromise, unauthorized data access, or denial of service.

What is the Exploitability of CVE-2019-14892?

Exploitation requires an application to use a vulnerable version of `jackson-databind` and to have polymorphic deserialization enabled, typically for an externally exposed JSON endpoint. The `commons-configuration` library must also be present in the classpath. The complexity is moderate, requiring an attacker to craft a specific JSON payload designed to trigger the JNDI lookup via `commons-configuration` classes. No authentication is directly required if the JSON endpoint is publicly accessible, making this a remote attack. The attacker needs to identify a serialized input point and is often also required to host a malicious JNDI server. The presence of both vulnerable jackson-databind and the `commons-configuration` dependency significantly increases the likelihood of successful exploitation.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2019-14892?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch adds "org.apache.commons.configuration.JNDIConfiguration" and "org.apache.commons.configuration2.JNDIConfiguration" to the blacklist of types not allowed to be deserialized. This prevents remote code execution via unsafe deserialization, fixing CVE-2019-14892 by blocking attackers from leveraging these vulnerable classes with Jackson's polymorphic deserialization feature.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- <2.6.7.3 → Upgrade to 2.6.7.3
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.8.11.5 → Upgrade to 2.8.11.5
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10 → Upgrade to 2.9.10

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-14892?

Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-17531 , CVE-2020-14062

CVE-2019-14892 Polymorphic Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind