CVE-2019-17267
Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2019-17267 About?
This vulnerability is a Polymorphic Typing issue in FasterXML jackson-databind that can lead to remote code execution. It allows attackers to leverage deserialization of malicious objects to achieve arbitrary code execution. Exploitation requires specific conditions to be met, but can be highly impactful.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- <2.8.11.5
- >2.9.0, <2.9.10
Technical Details
The Polymorphic Typing issue in FasterXML jackson-databind before 2.9.10 and 2.8.11.5 is related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`. This vulnerability arises when `jackson-databind` attempts to deserialize an untrusted data stream using polymorphic typing. If an attacker can control the type information being deserialized, they can specify a gadget class like `EhcacheJtaTransactionManagerLookup` that, during deserialization, can trigger code execution. This typically involves crafting a malicious JSON payload that instructs the deserializer to instantiate and invoke methods on a dangerous class from the classpath.
What is the Impact of CVE-2019-17267?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2019-17267?
Exploitation of this vulnerability is complex, requiring specific conditions to be met, including the presence of vulnerable library versions and specific gadget classes on the classpath. It typically requires remote access to an application that deserializes untrusted input, without any authentication to the deserialization endpoint itself. There are no special constraints beyond the setup of the application allowing polymorphic deserialization. Risk factors include applications that expose deserialization endpoints to untrusted users or those that use default configurations for polymorphic typing without proper safelisting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-17267?
About the Fix from Resolved Security
This patch adds "net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup" to the blocklist of dangerous classes in SubTypeValidator, preventing them from being deserialized. By blocking this class, it fixes CVE-2019-17267, which allowed remote code execution via unsafe deserialization when untrusted data was used with polymorphic type handling.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.8.11.5 → Upgrade to 2.8.11.5
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10 → Upgrade to 2.9.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:3200
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20191017-0006/
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
What are Similar Vulnerabilities to CVE-2019-17267?
Similar Vulnerabilities: CVE-2019-12384 , CVE-2019-14893 , CVE-2017-7525 , CVE-2018-7489 , CVE-2020-36518
