CVE-2019-14379

Published on: 07/29/2019 12:00:00 AM UTC

Last Modified on: 12/02/2022 07:23:00 PM UTC

CVE-2019-14379

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Xcode from Apple contain the following vulnerability:

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

CVE-2019-14379 has been assigned by [email protected] to track the vulnerability - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	HIGH

CVSS2 Score: 7.5 - HIGH

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
PARTIAL	PARTIAL	PARTIAL

CVE References

Description	Tags ^ⓘ	Link
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:2935
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
[SECURITY] Fedora 29 Update: jackson-core-2.9.9-1.fc29 - package-announce - Fedora Mailing-Lists	Third Party Advisory lists.fedoraproject.org text/html	FEDORA FEDORA-2019-fb23eccc03
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
[SECURITY] [DLA 1879-1] jackson-databind security update	Mailing List Third Party Advisory lists.debian.org text/html	MLIST [debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHBA-2019:2824
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12
Oracle Critical Patch Update Advisory - July 2020	Third Party Advisory www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpujul2020.html
[SECURITY] Fedora 31 Update: jackson-databind-2.9.9.3-1.fc31 - package-announce - Fedora Mailing-Lists	Third Party Advisory lists.fedoraproject.org text/html	FEDORA FEDORA-2019-99ff6aa32c
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3050
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:2937
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [ambari-commits] 20190813 [ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067)
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3292
[SECURITY] Fedora 30 Update: jackson-databind-2.9.9.3-1.fc30 - package-announce - Fedora Mailing-Lists	Third Party Advisory lists.fedoraproject.org text/html	FEDORA FEDORA-2019-ae6a703b8f
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image
Pony Mail!	Mailing List Third Party Advisory web.archive.org text/html Inactive LinkNot Archived	MLIST [tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
Oracle Critical Patch Update Advisory - October 2020	Third Party Advisory www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpuoct2020.html
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [ambari-commits] 20190813 [ambari] branch branch-2.7 updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379 (#3066)
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #533: Update Jackson to 2.9.10 for CVE-2019-14379
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3149
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3901
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah opened a new pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:2743
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:2936
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [pulsar-commits] 20190822 [GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databind
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379
Comparing jackson-databind-2.9.9.1...jackson-databind-2.9.9.2 · FasterXML/jackson-databind · GitHub	Patch Third Party Advisory github.com text/html	MISC github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2020:0727
Full Disclosure: APPLE-SA-2022-03-14-7 Xcode 13.3	seclists.org text/html	FULLDISC 20220314 APPLE-SA-2022-03-14-7 Xcode 13.3
About the security content of Xcode 13.3 - Apple Support	support.apple.com text/html	CONFIRM support.apple.com/kb/HT213189
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:2938
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3200
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3045
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3046
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:2858
Oracle Critical Patch Update - October 2019	Third Party Advisory www.oracle.com text/html	MISC www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Oracle Critical Patch Update Advisory - January 2020	Third Party Advisory www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpujan2020.html
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3297
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:2998
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues
Pony Mail!	Mailing List lists.apache.org text/html	MLIST [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue closed pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379
Oracle Critical Patch Update Advisory - April 2020	Third Party Advisory www.oracle.com text/html	N/A N/A
Block one more gadget type (ehcache, CVE-2019-14379) · Issue #2387 · FasterXML/jackson-databind · GitHub	Issue Tracking Patch Third Party Advisory github.com text/html	MISC github.com/FasterXML/jackson-databind/issues/2387
August 2019 FasterXML jackson-databind Vulnerabilities in NetApp Products \| NetApp Product Security	Third Party Advisory security.netapp.com text/html	CONFIRM security.netapp.com/advisory/ntap-20190814-0001/
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
Oracle Critical Patch Update Advisory - April 2021	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpuApr2021.html
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue opened a new pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue merged pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379
Pony Mail!	Mailing List Third Party Advisory lists.apache.org text/html	MLIST [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2019:3044

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

375626 IBM Cognos Analytics Multiple Vulnerabilities (6451705)
376491 Apple Xcode Multiple Vulnerabilities (HT213189)
982256 Java (maven) Security Update for com.fasterxml.jackson.core:jackson-databind (GHSA-6fpp-rgj9-8rwc)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apple	Xcode	All	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Application	Fasterxml	Jackson-databind	All	All	All	All
Application	Fasterxml	Jackson-databind	All	All	All	All
Operating System	Fedoraproject	Fedora	29	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Service Level Manager	-	All	All	All
Application	Netapp	Snapcenter	-	All	All	All
Application	Netapp	Snapcenter	-	All	All	All
Application	Oracle	Banking Platform	2.4.0	All	All	All
Application	Oracle	Banking Platform	2.4.1	All	All	All
Application	Oracle	Banking Platform	2.5.0	All	All	All
Application	Oracle	Banking Platform	2.6.0	All	All	All
Application	Oracle	Banking Platform	2.6.1	All	All	All
Application	Oracle	Banking Platform	2.7.0	All	All	All
Application	Oracle	Banking Platform	2.7.1	All	All	All
Application	Oracle	Communications Diameter Signaling Router	8.0.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	8.1	All	All	All
Application	Oracle	Communications Diameter Signaling Router	8.2	All	All	All
Application	Oracle	Communications Diameter Signaling Router	8.2.1	All	All	All
Application	Oracle	Communications Instant Messaging Server	10.0.1.3.0	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Goldengate Stream Analytics	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Orchestrator	9.2	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	9.2	All	All	All
Application	Oracle	Primavera Gateway	15.2	All	All	All
Application	Oracle	Primavera Gateway	16.2	All	All	All
Application	Oracle	Primavera Gateway	17.12	All	All	All
Application	Oracle	Primavera Gateway	18.8.0	All	All	All
Application	Oracle	Primavera Unifier	16.1	All	All	All
Application	Oracle	Primavera Unifier	16.2	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Retail Customer Management And Segmentation Foundation	17.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	15.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	16.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	17.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	18.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	7.1	All	All	All
Application	Oracle	Siebel Engineering - Installer Deployment	All	All	All	All
Application	Oracle	Siebel Engineering - Installer Deployment	All	All	All	All
Application	Oracle	Siebel Ui Framework	All	All	All	All
Operating System	Redhat	Enterprise Linux	6.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.2	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.3	All	All	All
Application	Redhat	Openshift Container Platform	3.11	All	All	All
Application	Redhat	Openshift Container Platform	4.1	All	All	All
Application	Redhat	Single Sign-on	7.3	All	All	All

cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*:
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*:
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*:
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*:
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:siebel_engineering_-_installer_&_deployment:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*:
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*:
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*:
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*:
cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*:
cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
/r/k12cybersecurity	MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution - PATCH: NOW	2022-03-15 13:18:46