CVE-2019-16335
Polymorphic Typing issue vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2019-16335 About?
This is a Polymorphic Typing issue in FasterXML jackson-databind affecting versions before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariDataSource` and constitutes a deserialization vulnerability that could lead to various impacts including remote code execution. Exploitation depends on the presence of the vulnerable class in the classpath and enabled polymorphic typing.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10
- <2.6.7.3
- >2.7.0, <2.8.11.5
Technical Details
A Polymorphic Typing vulnerability exists in FasterXML jackson-databind versions prior to 2.9.10, 2.8.11.5, and 2.6.7.3. This vulnerability is specifically linked to the `com.zaxxer.hikari.HikariDataSource` class. When Default Typing is enabled in jackson-databind (either globally or for a specific property), an attacker can craft a malicious JSON payload. This payload would include type information designed to instantiate `HikariDataSource` and subsequently leverage a gadget chain initiated through its deserialization. If the `HikariDataSource` is used in a vulnerable configuration or within a context that allows for arbitrary code execution during object construction or method invocation upon deserialization, it can lead to severe consequences. The issue stems from the deserializer's ability to arbitrary instantiate classes, allowing an attacker to utilize available classes on the classpath as 'gadgets'.
What is the Impact of CVE-2019-16335?
Successful exploitation may allow attackers to execute arbitrary code on the server, conduct denial-of-service attacks, or achieve unauthorized information disclosure, depending on the available gadget chains.
What is the Exploitability of CVE-2019-16335?
Exploitation hinges on Default Typing being enabled in Jackson-databind and the `com.zaxxer.hikari.HikariDataSource` class being present in the application's classpath. The complexity is moderate, requiring the attacker to understand Java deserialization gadget chains. No authentication or specific privileges are required on the application itself, as the attack typically involves sending a crafted JSON payload to an exposed endpoint that deserializes it. This is a remote attack. The primary constraint is the presence of the specific vulnerable class and the configuration of Jackson-databind. The likelihood of exploitation increases in applications that deserialize untrusted data with polymorphic typing enabled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-16335?
About the Fix from Resolved Security
This patch blocks deserialization of the com.zaxxer.hikari.HikariDataSource class by adding it to the denylist in SubTypeValidator, preventing attackers from leveraging this class for remote code execution. It fixes CVE-2019-16335 by closing a deserialization gadget chain exposed through HikariDataSource, which could otherwise be abused to execute arbitrary code when processing untrusted JSON input.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.6.7.3 → Upgrade to 2.6.7.3
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.8.11.5 → Upgrade to 2.8.11.5
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10 → Upgrade to 2.9.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:3200
- https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://osv.dev/vulnerability/GHSA-85cw-hj65-qqv9
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.netapp.com/advisory/ntap-20191004-0002/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016%40%3Cissues.hbase.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-16335?
Similar Vulnerabilities: CVE-2019-14439 , CVE-2019-12814 , CVE-2019-16943 , CVE-2019-14540 , CVE-2017-7525
