CVE-2019-12017
📋 TL;DR
This CVE describes a remote code execution vulnerability in MapR CLDB code where an attacker can exploit JSON deserialization to execute arbitrary code on the MapR CLDB server. The vulnerability allows complete takeover of the MapR cluster by forcing the system to load and execute malicious Java classes. This affects the entire MapR core platform.
💻 Affected Systems
- MapR Core Platform
📦 What is this software?
Mapr by Mapr
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the MapR cluster, allowing attacker to execute arbitrary code with CLDB privileges, potentially leading to data theft, destruction, or lateral movement within the environment.
Likely Case
Remote code execution leading to cluster compromise, data exfiltration, and potential ransomware deployment.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to CLDB services.
🎯 Exploit Status
The vulnerability is in JSON deserialization which is a common attack vector with known exploitation patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions with Jackson library upgrade and proper JSON deserialization controls
Vendor Advisory: https://mapr.com/support/s/article/Remote-code-execution-vulnerability-in-MapR-MFS-CLDB?language=en_US
Restart Required: Yes
Instructions:
1. Apply MapR security patches for CVE-2019-12017. 2. Upgrade to versions using Jackson library with proper deserialization controls. 3. Restart CLDB services. 4. Verify the fix by checking version and testing JSON handling.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to CLDB services to only trusted management networks
iptables -A INPUT -p tcp --dport [CLDB_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [CLDB_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CLDB services from untrusted networks
- Deploy web application firewall (WAF) rules to block malicious JSON payloads targeting the 'class' property
🔍 How to Verify
Check if Vulnerable:
Check MapR version and verify if JSON deserialization uses vulnerable libraries. Review CLDB configuration for Jackson library usage.Check Version:
maprcli node list -columns hostname,svc,versionVerify Fix Applied:
Verify MapR version is patched, test JSON requests with 'class' property to ensure they are rejected or properly handled.📡 Detection & Monitoring
Log Indicators:
- Unusual JSON requests to CLDB endpoints
- Failed authentication attempts with malformed JSON
- Unexpected Java class loading in CLDB logs
Network Indicators:
- HTTP/HTTPS requests to CLDB ports containing 'class' property in JSON payloads
- Outbound connections from CLDB to unexpected remote hosts
SIEM Query:
source="mapr_cldb.log" AND ("class" OR "JSON deserialization" OR "URLClassLoader")