CVE-2019-16942
Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2019-16942 About?
This vulnerability is a Polymorphic Typing issue in FasterXML `jackson-databind` versions 2.0.0 through 2.9.10. It enables remote code execution when Default Typing is enabled, `commons-dbcp` (1.4) is in the classpath, and an RMI service endpoint is accessible. The impact is severe, allowing arbitrary code execution, but exploitation requires a specific configuration and accessible RMI service.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.1
- >2.0.0, <2.6.7.3
- >2.7.0, <2.8.11.5
Technical Details
The Polymorphic Typing issue in FasterXML `jackson-databind` (versions 2.0.0 through 2.9.10) arises when Default Typing is enabled, either globally or for a specific property, within an externally exposed JSON endpoint. If the `commons-dbcp` (version 1.4) library is also present in the application's classpath, attackers can leverage a deserialization gadget chain. Specifically, the vulnerability capitalizes on the mishandling of `org.apache.commons.dbcp.datasources.SharedPoolDataSource` and `org.apache.commons.dbcp.datasources.PerUserPoolDataSource` classes during deserialization. By sending a specially crafted JSON payload that references one of these classes, an attacker can trigger the instantiation of an arbitrary RMI server. If the attacker can also find and interact with an accessible RMI service endpoint, they can then direct the vulnerable application to connect to a malicious RMI server they control, leading to the execution of arbitrary code on the target system.
What is the Impact of CVE-2019-16942?
Successful exploitation may allow attackers to achieve remote code execution, compromise the server entirely, access sensitive data, or disrupt application services.
What is the Exploitability of CVE-2019-16942?
Exploitation of this Polymorphic Typing issue is of high complexity due to several prerequisites. The application must be using a vulnerable version of `jackson-databind` (2.0.0 through 2.9.10), have Default Typing enabled, include `commons-dbcp` (1.4) in its classpath, and expose a JSON endpoint. Additionally, an attacker needs to locate and interact with an accessible RMI service endpoint to complete the exploitation chain. No specific authentication to `jackson-databind` is required if the JSON endpoint is public, but authentication to the RMI service might be. This is a remote attack. The core risk factors increasing exploitation likelihood include misconfigured `jackson-databind` (Default Typing enabled on untrusted input) and the presence of specific vulnerable libraries and accessible RMI services within the environment. The attacker needs to precisely craft a deserialization payload to trigger the gadget chain.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-16942?
About the Fix from Resolved Security
This patch expands the blacklist of dangerous classes in SubTypeValidator to block additional types that could enable unsafe deserialization, including org.apache.commons.dbcp.datasources.PerUserPoolDataSource, SharedPoolDataSource, and com.p6spy.engine.spy.P6DataSource. This directly addresses the insecure deserialization risk tracked by CVE-2019-16942, preventing attackers from leveraging crafted polymorphic inputs to instantiate these dangerous classes, which could otherwise lead to remote code execution.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.3 → Upgrade to 2.6.7.3
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.8.11.5 → Upgrade to 2.8.11.5
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.1 → Upgrade to 2.9.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:3901
- https://nvd.nist.gov/vuln/detail/CVE-2019-16942
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
- https://www.debian.org/security/2019/dsa-4542
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://osv.dev/vulnerability/GHSA-mx7p-6679-8g3q
What are Similar Vulnerabilities to CVE-2019-16942?
Similar Vulnerabilities: CVE-2020-36179 , CVE-2020-36173 , CVE-2019-12384 , CVE-2017-7657 , CVE-2017-15095
