Vulnerabilities > CVE-2019-14439 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
fasterxml
debian
fedoraproject
apache
redhat
oracle
CWE-502
nessus
NVD
Published: 2019-07-30
Updated: 2023-11-07

Summary

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Vulnerable Configurations

Part Description Count
Application
Fasterxml
124
Application
Apache
1
Application
Redhat
1
Application
Oracle
87
OS
Debian
3
OS
Fedoraproject
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1879.NASL
    descriptionDeserialization flaws were discovered in jackson-databind relating to EHCache and logback/jndi, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id127821
    published2019-08-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127821
    titleDebian DLA-1879-1 : jackson-databind security update
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1879-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(127821);
  script_version("1.2");
  script_cvs_date("Date: 2020/01/02");

  script_cve_id("CVE-2019-14379", "CVE-2019-14439");

  script_name(english:"Debian DLA-1879-1 : jackson-databind security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Deserialization flaws were discovered in jackson-databind relating to
EHCache and logback/jndi, which could allow an unauthenticated user to
perform remote code execution. The issue was resolved by extending the
blacklist and blocking more classes from polymorphic deserialization.

For Debian 8 'Jessie', these problems have been fixed in version
2.4.2-2+deb8u8.

We recommend that you upgrade your jackson-databind packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/jackson-databind"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/08/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/13");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"libjackson2-databind-java", reference:"2.4.2-2+deb8u8")) flag++;
if (deb_check(release:"8.0", prefix:"libjackson2-databind-java-doc", reference:"2.4.2-2+deb8u8")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_UNIFIER_CPU_OCT_2019.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.15.10, or 17.7.x through 17.12.x prior to 17.12.11.1, or 18.8.x prior to 18.8.13.0. It is, therefore, affected by multiple vulnerabilities: - An unspecified flaw exists in how
    last seen2020-06-01
    modified2020-06-02
    plugin id130070
    published2019-10-21
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130070
    titleOracle Primavera Unifier Multiple Vulnerabilities (Oct 2019 CPU)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(130070);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/30 13:24:46");

  script_cve_id(
    "CVE-2017-12626",
    "CVE-2019-11358",
    "CVE-2019-12086",
    "CVE-2019-14379",
    "CVE-2019-14439"
  );
  script_bugtraq_id(102879, 108023, 109227);
  script_xref(name:"IAVA", value:"2019-A-0380");

  script_name(english:"Oracle Primavera Unifier Multiple Vulnerabilities (Oct 2019 CPU)");
  script_summary(english:"Checks the version of Oracle Primavera Unifier.");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web
server is 16.1.x or 16.2.x prior to 16.2.15.10, or 17.7.x through 17.12.x prior to 17.12.11.1, or 18.8.x prior to
18.8.13.0. It is, therefore, affected by multiple vulnerabilities:

    - An unspecified flaw exists in how 'default typing' is handled when 'ehcache' is used in the
      jackson-databind component of Primavera Unifier. An unauthenticated, remote attacker can exploit this
      via the network over HTTP to cause remote code execution. (CVE-2019-14379)

    - An information disclosure vulnerability exists in the jackson-databind component of Primavera Unifier.
      An unauthenticated, remote attacker can exploit this via an externally exposed JSON endpoint if the
      service has the mysql-connector-java jar in the classpath, and the attacker can host a crafted MySQL
      server accessible by the victim. An attacker can send a crafted JSON message to read arbitrary local
      files on the server. (CVE-2019-12086)

    - An information disclosure vulnerability exists in the jackson-databind component of Primavera Unifier.
      An unauthenticated, remote attacker can exploit this via an externally exposed JSON endpoint if the
      service has the logback jar in the classpath, which can allow information disclosure. (CVE-2019-14439)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b370bc74");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle Primavera Unifier version 16.2.15.10 / 17.12.11.1 / 18.8.13.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14379");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_unifier");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_primavera_unifier.nbin");
  script_require_keys("installed_sw/Oracle Primavera Unifier", "www/weblogic");
  script_require_ports("Services/www", 8002);

  exit(0);
}

include('http.inc');
include('vcf.inc');

get_install_count(app_name:'Oracle Primavera Unifier', exit_if_zero:TRUE);

port = get_http_port(default:8002);
get_kb_item_or_exit('www/weblogic/' + port + '/installed');

app_info = vcf::get_app_info(app:'Oracle Primavera Unifier', port:port);

vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
  { 'min_version' : '16.1.0.0', 'fixed_version' : '16.2.15.10' },
  { 'min_version' : '17.7.0.0', 'fixed_version' : '17.12.11.1' },
  { 'min_version' : '18.8.0.0', 'fixed_version' : '18.8.13.0' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-99FF6AA32C.NASL
    description - Update jackson-databind to version 2.9.9.3. - Update jackson-core to version 2.9.9. - Update jackson-annotations to version 2.9.9. - Update jackson-bom to version 2.9.9. Resolves CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, and CVE-14439. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129634
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129634
    titleFedora 31 : jackson-annotations / jackson-bom / jackson-core / jackson-databind (2019-99ff6aa32c)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-FB23ECCC03.NASL
    description - Update jackson-databind to version 2.9.9.3. - Update jackson-core to version 2.9.9. - Update jackson-annotations to version 2.9.9. - Update jackson-bom to version 2.9.9. Resolves CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, and CVE-14439. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129113
    published2019-09-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129113
    titleFedora 29 : jackson-annotations / jackson-bom / jackson-core / jackson-databind (2019-fb23eccc03)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4542.NASL
    descriptionIt was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.
    last seen2020-06-01
    modified2020-06-02
    plugin id129597
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129597
    titleDebian DSA-4542-1 : jackson-databind - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-AE6A703B8F.NASL
    description - Update jackson-databind to version 2.9.9.3. - Update jackson-core to version 2.9.9. - Update jackson-annotations to version 2.9.9. - Update jackson-bom to version 2.9.9. Resolves CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, and CVE-14439. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129110
    published2019-09-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129110
    titleFedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind (2019-ae6a703b8f)

Redhat

advisories
rhsa
idRHSA-2019:3200

References