Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-17531

Disclosure Date: October 12, 2019
CVE-2019-17531 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fasterxml,
  • netapp,
  • oracle,
  • redhat

Products

  • banking platform 2.4.0,
  • banking platform 2.4.1,
  • banking platform 2.5.0,
  • banking platform 2.6.0,
  • banking platform 2.6.1,
  • banking platform 2.6.2,
  • banking platform 2.7.0,
  • banking platform 2.7.1,
  • banking platform 2.9.0,
  • communications billing and revenue management 12.0.0.3.0,
  • communications billing and revenue management 7.5.0.23.0,
  • communications calendar server 8.0.0.2.0,
  • communications calendar server 8.0.0.3.0,
  • communications cloud native core network slice selection function 1.2.1,
  • communications evolved communications application server 7.1,
  • debian linux 8.0,
  • global lifecycle management nextgen oui framework 12.2.1.3.0,
  • global lifecycle management nextgen oui framework 12.2.1.4.0,
  • global lifecycle management nextgen oui framework 13.9.4.2.2,
  • goldengate application adapters 19.1.0.0.0,
  • jackson-databind,
  • jboss enterprise application platform 7.2,
  • jboss enterprise application platform 7.3,
  • jd edwards enterpriseone orchestrator 9.2,
  • jd edwards enterpriseone tools 9.2,
  • oncommand workflow automation -,
  • primavera gateway,
  • primavera gateway 16.1,
  • primavera gateway 16.2,
  • primavera gateway 19.12.0,
  • retail merchandising system 15.0.3,
  • retail merchandising system 16.0.2,
  • retail merchandising system 16.0.3,
  • retail sales audit 14.1,
  • siebel engineering - installer & deployment,
  • steelstore cloud integrated storage -,
  • trace file analyzer 12.2.0.1,
  • trace file analyzer 18c,
  • trace file analyzer 19c,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0,
  • webcenter sites 12.2.1.3.0,
  • webcenter sites 12.2.1.4.0,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0

References

Canonical
CVE-2019-17531 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531)
Advisory
[pulsar-commits] 20191127 [GitHub] [pulsar] massakam opened a new pull request #5758: Bump jackson libraries to 2.10.1 (https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5@%3Ccommits.pulsar.apache.org%3E)
https://access.redhat.com/errata/RHSA-2019:4192
[debian-lts-announce] 20191210 [SECURITY] [DLA 2030-1] jackson-databind security update (https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html)
[druid-commits] 20200115 [druid] branch 0.17.0 updated: Suppress CVE-2019-20330 for htrace-core-4.0.1 (#9189) (#9191) (https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E)
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0445
https://security.netapp.com/advisory/ntap-20191024-0005
[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image (https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E)
[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12 (https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E)
https://security.netapp.com/advisory/ntap-20191024-0005/
Miscellaneous
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://github.com/FasterXML/jackson-databind/issues/2498
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com//security-alerts/cpujul2021.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis