CVE-2019-16943: Polymorphic Typing issue vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2019-16943 About?

This vulnerability is a Polymorphic Typing issue in FasterXML jackson-databind affecting versions before 2.9.10.1, 2.8.11.5, and 2.6.7.3. It can lead to remote code execution (RCE) if Default Typing is enabled, the p6spy jar is in the classpath, and an RMI service endpoint is accessible. Exploitation involves achieving RCE by leveraging deserialization of untrusted data.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.1
- <2.6.7.3
- >2.7.0, <2.8.11.5

Technical Details

A Polymorphic Typing vulnerability exists in FasterXML jackson-databind versions 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. This flaw specifically manifests when 'Default Typing' is enabled globally or for a particular property, allowing the deserializer to instantiate arbitrary classes based on type information received in the JSON payload. The vulnerability is exploitable under specific conditions: the 'p6spy' (version 3.8.6) jar must be present in the application's classpath, and an attacker must be able to discover and access an RMI service endpoint. The `com.p6spy.engine.spy.P6DataSource` class in conjunction with an accessible RMI service mishandles deserialized objects, allowing a malicious payload within the JSON to be executed via a crafted RMI call. The attack vector involves sending specially crafted JSON that instructs jackson-databind to instantiate a gadget chain ending in code execution via the RMI service endpoint.

What is the Impact of CVE-2019-16943?

Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data theft, or denial of service.

What is the Exploitability of CVE-2019-16943?

Exploitation of this vulnerability is complex. Prerequisites include 'Default Typing' being enabled, the presence of the 'p6spy' 3.8.6 jar in the classpath, and an accessible RMI service endpoint. No authentication to the RMI service endpoint is explicitly mentioned as required, implying potential remote unauthenticated access if the endpoint itself is exposed. The attack is remote, making it a severe threat. Identifying the RMI endpoint and crafting a suitable deserialization payload adds to the complexity. The main constraint is the specific combination of application configuration and classpath dependencies. The likelihood of exploitation increases significantly if the application uses default configurations that enable polymorphic typing and has the specified dependency.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2019-16943?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

This patch adds several additional classes to a denylist in SubTypeValidator, preventing their deserialization by Jackson. It fixes CVE-2019-16943 by blocking dangerous classes with side effects from being instantiated via polymorphic deserialization, mitigating a remote code execution risk.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- <2.6.7.3 → Upgrade to 2.6.7.3
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.8.11.5 → Upgrade to 2.8.11.5
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.1 → Upgrade to 2.9.10.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-16943?

Similar Vulnerabilities: CVE-2019-14439 , CVE-2019-12814 , CVE-2019-14540 , CVE-2017-7525 , CVE-2017-15095

CVE-2019-16943 Polymorphic Typing issue vulnerability in com.fasterxml.jackson.core:jackson-databind