CVE-2019-14893
Polymorphic Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2019-14893 About?
A flaw exists in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, enabling polymorphic deserialization of malicious objects via the xalan JNDI gadget. This can lead to arbitrary code execution if polymorphic type handling methods are used. Exploitation requires specific classpaths and deserialization setups.
Affected Software
Technical Details
The vulnerability in FasterXML jackson-databind allows polymorphic deserialization of malicious objects via the `xalan` JNDI gadget. This occurs when `jackson-databind` is configured to use polymorphic type handling (e.g., `enableDefaultTyping()`, `Id.CLASS`, `Id.MINIMAL_CLASS`) and attempts to deserialize data from untrusted sources. An attacker can craft a JSON payload that specifies a class from the `xalan` library, leveraging JNDI lookups. During deserialization, `jackson-databind` instantiates the attacker-controlled class which then performs a JNDI lookup to a malicious LDAP or RMI server controlled by the attacker, ultimately leading to remote code execution on the vulnerable system.
What is the Impact of CVE-2019-14893?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2019-14893?
Exploitation of this vulnerability is complex. It requires the presence of a vulnerable `jackson-databind` version, the `xalan` library on the classpath, and the application explicitly enabling polymorphic type handling, or implicitly handling types from untrusted sources. Remote access is possible if the application exposes a deserialization endpoint to untrusted input. No specific authentication is required for the deserialization itself. The attacker needs to craft a specific JSON payload tailored to trigger the JNDI gadget. Risk factors include deserializing untrusted data with `jackson-databind` aggressive polymorphic configurations and having common gadget libraries on the classpath.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-14893?
About the Fix from Resolved Security
The patch adds org.apache.xalan.lib.sql.JNDIConnectionPool to the blocklist of classes that cannot be deserialized by Jackson. This prevents exploitation of CVE-2019-14893, which arises from unsafe deserialization enabling remote code execution via this class; blocking its deserialization mitigates the risk.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10 → Upgrade to 2.9.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893
- https://github.com/FasterXML/jackson-databind/issues/2469
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0729
- https://security.netapp.com/advisory/ntap-20200327-0006/
What are Similar Vulnerabilities to CVE-2019-14893?
Similar Vulnerabilities: CVE-2019-12384 , CVE-2019-17267 , CVE-2017-7525 , CVE-2018-7489 , CVE-2020-36518
