CVE-2019-16943
Summary
| CVE | CVE-2019-16943 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-10-01 17:15:00 UTC |
| Updated | 2023-11-07 03:06:00 UTC |
| Description | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. |
Risk And Classification
Problem Types: CWE-502
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Fasterxml | Jackson-databind | All | All | All | All |
| Application | Fasterxml | Jackson-databind | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Oncommand Api Services | - | All | All | All |
| Application | Netapp | Oncommand Api Services | - | All | All | All |
| Application | Netapp | Oncommand Workflow Automation | - | All | All | All |
| Application | Netapp | Oncommand Workflow Automation | - | All | All | All |
| Application | Netapp | Service Level Manager | - | All | All | All |
| Application | Netapp | Service Level Manager | - | All | All | All |
| Application | Netapp | Steelstore Cloud Integrated Storage | - | All | All | All |
| Application | Netapp | Steelstore Cloud Integrated Storage | - | All | All | All |
| Application | Oracle | Banking Platform | 2.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.5.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.2 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.9.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.5.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.2 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.9.0 | All | All | All |
| Application | Oracle | Communications Billing And Revenue Management | 12.0.0.3.0 | All | All | All |
| Application | Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 | All | All | All |
| Application | Oracle | Communications Billing And Revenue Management | 12.0.0.3.0 | All | All | All |
| Application | Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 | All | All | All |
| Application | Oracle | Communications Calendar Server | 8.0.0.2.0 | All | All | All |
| Application | Oracle | Communications Calendar Server | 8.0.0.3.0 | All | All | All |
| Application | Oracle | Communications Calendar Server | 8.0.0.2.0 | All | All | All |
| Application | Oracle | Communications Calendar Server | 8.0.0.3.0 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 | All | All | All |
| Application | Oracle | Communications Evolved Communications Application Server | 7.1 | All | All | All |
| Application | Oracle | Communications Evolved Communications Application Server | 7.1 | All | All | All |
| Application | Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Global Lifecycle Management Nextgen Oui Framework | 13.9.4.2.2 | All | All | All |
| Application | Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Global Lifecycle Management Nextgen Oui Framework | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Global Lifecycle Management Nextgen Oui Framework | 13.9.4.2.2 | All | All | All |
| Application | Oracle | Goldengate Application Adapters | 19.1.0.0.0 | All | All | All |
| Application | Oracle | Goldengate Application Adapters | 19.1.0.0.0 | All | All | All |
| Application | Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2 | All | All | All |
| Application | Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2 | All | All | All |
| Application | Oracle | Jd Edwards Enterpriseone Tools | 9.2 | All | All | All |
| Application | Oracle | Jd Edwards Enterpriseone Tools | 9.2 | All | All | All |
| Application | Oracle | Primavera Gateway | 16.1 | All | All | All |
| Application | Oracle | Primavera Gateway | 16.2 | All | All | All |
| Application | Oracle | Primavera Gateway | 19.12.0 | All | All | All |
| Application | Oracle | Primavera Gateway | 16.1 | All | All | All |
| Application | Oracle | Primavera Gateway | 16.2 | All | All | All |
| Application | Oracle | Primavera Gateway | 19.12.0 | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Retail Merchandising System | 15.0.3 | All | All | All |
| Application | Oracle | Retail Merchandising System | 16.0.2 | All | All | All |
| Application | Oracle | Retail Merchandising System | 16.0.3 | All | All | All |
| Application | Oracle | Retail Merchandising System | 15.0.3 | All | All | All |
| Application | Oracle | Retail Merchandising System | 16.0.2 | All | All | All |
| Application | Oracle | Retail Merchandising System | 16.0.3 | All | All | All |
| Application | Oracle | Retail Sales Audit | 14.1 | All | All | All |
| Application | Oracle | Retail Sales Audit | 14.1 | All | All | All |
| Application | Oracle | Siebel Engineering - Installer Deployment | All | All | All | All |
| Application | Oracle | Siebel Engineering - Installer Deployment | All | All | All | All |
| Application | Oracle | Trace File Analyzer | 12.2.0.1 | All | All | All |
| Application | Oracle | Trace File Analyzer | 18c | All | All | All |
| Application | Oracle | Trace File Analyzer | 19c | All | All | All |
| Application | Oracle | Trace File Analyzer | 12.2.0.1 | All | All | All |
| Application | Oracle | Trace File Analyzer | 18c | All | All | All |
| Application | Oracle | Trace File Analyzer | 19c | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.4.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 8.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| On Jackson CVEs: Don’t Panic — Here is what you need to know | by @cowtowncoder | Medium | medium.com | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | Third Party Advisory |
| [SECURITY] Fedora 30 Update: jackson-core-2.10.0-1.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| October 2019 FasterXML jackson-databind Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| [SECURITY] Fedora 31 Update: jackson-core-2.10.0-1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2020 | MISC | www.oracle.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 31 Update: jackson-core-2.10.0-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) · Issue #2478 · FasterXML/jackson-databind · GitHub | MISC | github.com | Patch, Third Party Advisory |
| On Jackson CVEs: Don’t Panic — Here is what you need to know | by @cowtowncoder | Medium | MISC | medium.com | Exploit, Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4542-1] jackson-databind security update | BUGTRAQ | seclists.org | Issue Tracking, Mailing List, Third Party Advisory |
| [SECURITY] [DLA 1943-1] jackson-databind security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| Debian -- Security Information -- DSA-4542-1 jackson-databind | DEBIAN | www.debian.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| [SECURITY] Fedora 30 Update: jackson-core-2.10.0-1.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Oracle Critical Patch Update Advisory - January 2020 | MISC | www.oracle.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2020 | N/A | www.oracle.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159663 Oracle Enterprise Linux Security Update for pki-core:10.6 and pki-deps:10.6 (ELSA-2020-1644)
- 940247 AlmaLinux Security Update for pki-core:10.6 and pki-deps:10.6 (ALSA-2020:1644)
- 960724 Rocky Linux Security Update for pki-core:10.6 and pki-deps:10.6 (RLSA-2020:1644)
- 981966 Java (maven) Security Update for com.fasterxml.jackson.core:jackson-databind (GHSA-fmmc-742q-jg75)