CVE-2018-14721
📋 TL;DR
CVE-2018-14721 is a Server-Side Request Forgery (SSRF) vulnerability in FasterXML jackson-databind versions 2.x before 2.9.7. It allows attackers to make arbitrary HTTP requests from vulnerable servers by exploiting polymorphic deserialization of the axis2-jaxws class. This affects any application using vulnerable versions of jackson-databind for JSON deserialization.
💻 Affected Systems
- FasterXML jackson-databind
📦 What is this software?
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through SSRF leading to internal network reconnaissance, data exfiltration, or lateral movement to other systems.
Likely Case
Unauthorized access to internal services, data leakage from internal APIs, or denial of service through internal service abuse.
If Mitigated
Limited impact if network segmentation prevents internal service access and input validation blocks malicious payloads.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON payloads to endpoints that deserialize untrusted data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.7 or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:0782
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.7 or higher. 2. Update all transitive dependencies that include jackson-databind. 3. Restart affected applications.
🔧 Temporary Workarounds
Block axis2-jaxws class in deserialization
allConfigure Jackson ObjectMapper to block the axis2-jaxws class during deserialization
ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); mapper.setMixInAnnotations(Object.class, MyMixInForIgnoreType.class);
🧯 If You Can't Patch
- Implement strict input validation to reject JSON containing suspicious class names
- Use network segmentation to limit server's ability to make outbound HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check pom.xml, build.gradle, or dependency manifest for jackson-databind version < 2.9.7Check Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.7 or higher in dependency files📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from application servers
- Deserialization errors involving axis2-jaxws class
Network Indicators:
- HTTP requests to internal services from application servers
- Unusual traffic patterns from servers to unexpected destinations
SIEM Query:
source="app-server" dest_ip IN (internal_subnets) AND http_method IN (GET, POST)🔗 References
- https://access.redhat.com/errata/RHBA-2019:0959
- https://access.redhat.com/errata/RHSA-2019:0782
- https://access.redhat.com/errata/RHSA-2019:1106
- https://access.redhat.com/errata/RHSA-2019:1107
- https://access.redhat.com/errata/RHSA-2019:1108
- https://access.redhat.com/errata/RHSA-2019:1140
- https://access.redhat.com/errata/RHSA-2019:1822
- https://access.redhat.com/errata/RHSA-2019:1823
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/errata/RHSA-2019:4037
- https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
- https://seclists.org/bugtraq/2019/May/68
- https://security.netapp.com/advisory/ntap-20190530-0003/
- https://www.debian.org/security/2019/dsa-4452
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHBA-2019:0959
- https://access.redhat.com/errata/RHSA-2019:0782
- https://access.redhat.com/errata/RHSA-2019:1106
- https://access.redhat.com/errata/RHSA-2019:1107
- https://access.redhat.com/errata/RHSA-2019:1108
- https://access.redhat.com/errata/RHSA-2019:1140
- https://access.redhat.com/errata/RHSA-2019:1822
- https://access.redhat.com/errata/RHSA-2019:1823
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/errata/RHSA-2019:4037
- https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
- https://seclists.org/bugtraq/2019/May/68
- https://security.netapp.com/advisory/ntap-20190530-0003/
- https://www.debian.org/security/2019/dsa-4452
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
