CVE-2019-14379
📋 TL;DR
CVE-2019-14379 is a remote code execution vulnerability in FasterXML jackson-databind that occurs when default typing is enabled and ehcache is used. Attackers can exploit this by sending malicious JSON payloads to execute arbitrary code on vulnerable systems. This affects applications using jackson-databind with default typing enabled and ehcache dependency present.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind with ehcache
📦 What is this software?
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
Siebel Engineering Installer \& Deployment by Oracle
View all CVEs affecting Siebel Engineering Installer \& Deployment →
Xcode by Apple
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, application compromise, or server takeover.
If Mitigated
Limited impact if default typing is disabled or proper input validation is implemented.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON payloads to endpoints that deserialize JSON with default typing enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: jackson-databind 2.9.9.2 or later
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2389
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.9.9.2 or later. 2. Update pom.xml or build.gradle to use patched version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable default typing
allDisable default typing in ObjectMapper configuration to prevent polymorphic type handling
// Java code: objectMapper.disableDefaultTyping();
Remove ehcache dependency
allRemove or update net.sf.ehcache dependency if not required
<!-- Maven: Remove <dependency> for ehcache -->
// Gradle: Remove 'net.sf.ehcache:ehcache' from dependencies
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs
- Use network segmentation to isolate vulnerable systems and implement WAF rules to block suspicious JSON payloads
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for jackson-databind version < 2.9.9.2 and presence of ehcache dependencyCheck Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is 2.9.9.2 or later in dependencies and test JSON deserialization functionality📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Stack traces containing SubTypeValidator or DefaultTransactionManagerLookup
- Unexpected process execution from Java application
Network Indicators:
- HTTP requests with unusual JSON payloads containing class names
- Outbound connections from application to unexpected destinations
SIEM Query:
source="application.logs" AND ("SubTypeValidator" OR "DefaultTransactionManagerLookup" OR "ehcache")🔗 References
- http://seclists.org/fulldisclosure/2022/Mar/23
- https://access.redhat.com/errata/RHBA-2019:2824
- https://access.redhat.com/errata/RHSA-2019:2743
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:2935
- https://access.redhat.com/errata/RHSA-2019:2936
- https://access.redhat.com/errata/RHSA-2019:2937
- https://access.redhat.com/errata/RHSA-2019:2938
- https://access.redhat.com/errata/RHSA-2019:2998
- https://access.redhat.com/errata/RHSA-2019:3044
- https://access.redhat.com/errata/RHSA-2019:3045
- https://access.redhat.com/errata/RHSA-2019:3046
- https://access.redhat.com/errata/RHSA-2019:3050
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3200
- https://access.redhat.com/errata/RHSA-2019:3292
- https://access.redhat.com/errata/RHSA-2019:3297
- https://access.redhat.com/errata/RHSA-2019:3901
- https://access.redhat.com/errata/RHSA-2020:0727
- https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
- https://github.com/FasterXML/jackson-databind/issues/2387
- https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E
- https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E
- https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/
- https://security.netapp.com/advisory/ntap-20190814-0001/
- https://support.apple.com/kb/HT213189
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://seclists.org/fulldisclosure/2022/Mar/23
- https://access.redhat.com/errata/RHBA-2019:2824
- https://access.redhat.com/errata/RHSA-2019:2743
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:2935
- https://access.redhat.com/errata/RHSA-2019:2936
- https://access.redhat.com/errata/RHSA-2019:2937
- https://access.redhat.com/errata/RHSA-2019:2938
- https://access.redhat.com/errata/RHSA-2019:2998
- https://access.redhat.com/errata/RHSA-2019:3044
- https://access.redhat.com/errata/RHSA-2019:3045
- https://access.redhat.com/errata/RHSA-2019:3046
- https://access.redhat.com/errata/RHSA-2019:3050
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3200
- https://access.redhat.com/errata/RHSA-2019:3292
- https://access.redhat.com/errata/RHSA-2019:3297
- https://access.redhat.com/errata/RHSA-2019:3901
- https://access.redhat.com/errata/RHSA-2020:0727
- https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
- https://github.com/FasterXML/jackson-databind/issues/2387
- https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E
- https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E
- https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E
- https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/
- https://security.netapp.com/advisory/ntap-20190814-0001/
- https://support.apple.com/kb/HT213189
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
