CVE-2018-14719
📋 TL;DR
CVE-2018-14719 is a remote code execution vulnerability in FasterXML jackson-databind versions 2.x before 2.9.7. It allows attackers to execute arbitrary code by exploiting polymorphic deserialization of untrusted data through blaze-ds-opt and blaze-ds-core classes. Any application using vulnerable jackson-databind versions that deserializes untrusted data is affected.
💻 Affected Systems
- FasterXML jackson-databind
📦 What is this software?
Business Process Management Suite by Oracle
Business Process Management Suite by Oracle
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Retail Workforce Management Software by Oracle
View all CVEs affecting Retail Workforce Management Software →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution as the application user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution leading to application compromise, data exfiltration, or service disruption.
If Mitigated
Limited impact if proper input validation and deserialization controls are implemented, potentially reduced to denial of service.
🎯 Exploit Status
Exploitation requires the application to deserialize untrusted JSON data. Public proof-of-concept code exists demonstrating the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.7 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2097
Restart Required: Yes
Instructions:
1. Identify jackson-databind version in your application. 2. Update dependency to version 2.9.7 or later. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Block dangerous classes
allConfigure jackson-databind to block blaze-ds-opt and blaze-ds-core classes from deserialization.
Add to application configuration: ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); mapper.addMixIn(Object.class, MyMixInForIgnoreType.class);
Disable default typing
allDisable polymorphic type handling in ObjectMapper configuration.
Configure ObjectMapper without default typing: ObjectMapper mapper = new ObjectMapper();
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON input
- Use network segmentation to isolate vulnerable applications and implement strict firewall rules
🔍 How to Verify
Check if Vulnerable:
Check pom.xml, build.gradle, or manifest files for jackson-databind version. Use: mvn dependency:tree | grep jackson-databind or gradle dependencies | grep jackson-databindCheck Version:
mvn dependency:tree | grep jackson-databindVerify Fix Applied:
Verify updated version in dependency files and confirm application uses jackson-databind 2.9.7+📡 Detection & Monitoring
Log Indicators:
- Unusual Java class loading errors, unexpected deserialization attempts, stack traces containing blaze-ds-opt or blaze-ds-core
Network Indicators:
- Unusual outbound connections from application servers, unexpected JSON payloads to deserialization endpoints
SIEM Query:
source="application.logs" AND ("blaze-ds-opt" OR "blaze-ds-core" OR "ClassNotFoundException" OR "InvalidTypeIdException")🔗 References
- https://access.redhat.com/errata/RHBA-2019:0959
- https://access.redhat.com/errata/RHSA-2019:0782
- https://access.redhat.com/errata/RHSA-2019:0877
- https://access.redhat.com/errata/RHSA-2019:1782
- https://access.redhat.com/errata/RHSA-2019:1797
- https://access.redhat.com/errata/RHSA-2019:1822
- https://access.redhat.com/errata/RHSA-2019:1823
- https://access.redhat.com/errata/RHSA-2019:2804
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3002
- https://access.redhat.com/errata/RHSA-2019:3140
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/errata/RHSA-2019:4037
- https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
- https://seclists.org/bugtraq/2019/May/68
- https://security.netapp.com/advisory/ntap-20190530-0003/
- https://www.debian.org/security/2019/dsa-4452
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHBA-2019:0959
- https://access.redhat.com/errata/RHSA-2019:0782
- https://access.redhat.com/errata/RHSA-2019:0877
- https://access.redhat.com/errata/RHSA-2019:1782
- https://access.redhat.com/errata/RHSA-2019:1797
- https://access.redhat.com/errata/RHSA-2019:1822
- https://access.redhat.com/errata/RHSA-2019:1823
- https://access.redhat.com/errata/RHSA-2019:2804
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3002
- https://access.redhat.com/errata/RHSA-2019:3140
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/errata/RHSA-2019:4037
- https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
- https://seclists.org/bugtraq/2019/May/68
- https://security.netapp.com/advisory/ntap-20190530-0003/
- https://www.debian.org/security/2019/dsa-4452
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
