CVE-2019-17531
Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2019-17531 About?
A Polymorphic Typing issue in FasterXML jackson-databind versions before specific patches allows for remote code execution. This vulnerability occurs when Default Typing is enabled on an externally exposed JSON endpoint, and the 'apache-log4j-extra' jar is present, potentially executing malicious payloads via JNDI.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.1
- <2.6.7.3
- >2.7.0, <2.8.11.5
Technical Details
The vulnerability in FasterXML jackson-databind (versions 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3) is an instance of Polymorphic Typing mishandling. It arises when 'Default Typing' is enabled, either globally or for a specific property, on an externally accessible JSON endpoint. If the application's classpath includes the `apache-log4j-extra` (version 1.2.x) jar, an attacker can leverage this. The attacker provides a malicious JNDI service URL within a crafted JSON payload. When jackson-databind attempts to deserialize this payload with polymorphic typing enabled, it can be coerced into performing a JNDI lookup to the attacker-controlled server. This allows the attacker to inject and execute arbitrary code on the server, as the JNDI lookup can fetch and instantiate a remote class.
What is the Impact of CVE-2019-17531?
Successful exploitation may allow attackers to execute arbitrary code on the target system, leading to complete system compromise, unauthorized data access, or denial of service.
What is the Exploitability of CVE-2019-17531?
Exploitation of this polymorphic typing issue requires specific conditions to be met: the application must use a vulnerable version of jackson-databind, 'Default Typing' must be enabled, the JSON endpoint must be externally exposed, and the `apache-log4j-extra` jar (version 1.2.x) must be present in the classpath. The complexity is moderate, requiring the attacker to craft a specialized JSON payload and operate a malicious JNDI server. No authentication is needed if the JSON endpoint is public. This is a remote attack. The attacker must specifically identify an endpoint that uses polymorphic deserialization and is reachable over the network. The presence of the vulnerable library and configuration increases the risk of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-17531?
About the Fix from Resolved Security
The patch adds two log4j database connection source classes to the internal blocklist preventing them from being deserialized. This mitigates CVE-2019-17531 by blocking potentially dangerous deserialization via Jackson, which could otherwise allow remote code execution through malicious payloads referencing these classes.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.6.7.3 → Upgrade to 2.6.7.3
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.8.11.5 → Upgrade to 2.8.11.5
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.1 → Upgrade to 2.9.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0159
What are Similar Vulnerabilities to CVE-2019-17531?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-14892 , CVE-2020-17521
