CVE-2019-14540
📋 TL;DR
CVE-2019-14540 is a deserialization vulnerability in FasterXML jackson-databind that allows remote code execution through polymorphic type handling. Attackers can exploit this by sending malicious JSON payloads that trigger the deserialization of dangerous classes. Applications using jackson-databind with HikariCP or similar libraries are affected.
💻 Affected Systems
- FasterXML jackson-databind
- Applications using jackson-databind with HikariCP
📦 What is this software?
Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Customer Management And Segmentation Foundation →
Fedora by Fedoraproject
Fedora by Fedoraproject
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Global Lifecycle Management Opatch by Oracle
View all CVEs affecting Global Lifecycle Management Opatch →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Mysql by Oracle
Mysql by Oracle
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution with the privileges of the application, potentially leading to complete system compromise, data theft, and lateral movement.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential privilege escalation within the affected environment.
If Mitigated
Limited impact with proper input validation, network segmentation, and minimal privileges, potentially reducing to denial of service or information disclosure.
🎯 Exploit Status
Exploitation requires sending crafted JSON payloads to endpoints that deserialize untrusted data. Multiple proof-of-concept exploits are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.10 or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:3200
Restart Required: Yes
Instructions:
1. Identify all applications using jackson-databind. 2. Update jackson-databind dependency to version 2.9.10 or later. 3. Rebuild and redeploy affected applications. 4. Restart application servers.
🔧 Temporary Workarounds
Disable polymorphic type handling
allConfigure Jackson ObjectMapper to disable default typing and polymorphic type handling for untrusted sources.
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Remove or disable this line
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
Block dangerous classes
allUse Jackson's SubTypeValidator to block known dangerous classes from being deserialized.
SimpleModule module = new SimpleModule();
module.setMixInAnnotation(HikariConfig.class, BlockHikariConfigMixin.class);
mapper.registerModule(module);
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all JSON inputs.
- Deploy network segmentation and WAF rules to block malicious payloads targeting this vulnerability.
🔍 How to Verify
Check if Vulnerable:
Check Maven/Gradle dependencies for jackson-databind versions <2.9.10. Use: mvn dependency:tree | grep jackson-databind or gradle dependencies | grep jackson-databind.Check Version:
mvn dependency:tree | grep jackson-databind || gradle dependencies | grep jackson-databind || find . -name "*.jar" -exec jar tf {} \; | grep jackson-databindVerify Fix Applied:
Verify jackson-databind version is >=2.9.10 in dependency files and deployed artifacts. Test with known exploit payloads to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Java stack traces containing 'com.fasterxml.jackson.databind' with deserialization errors
- Unusual class loading attempts for HikariConfig or similar classes
- Large or malformed JSON payloads in request logs
Network Indicators:
- HTTP requests with JSON payloads containing type information fields
- Requests to JSON endpoints with unusual content types or headers
SIEM Query:
source="application.logs" AND ("jackson.databind" OR "HikariConfig") AND ("deserialization" OR "ClassNotFoundException" OR "InvalidTypeIdException")🔗 References
- https://access.redhat.com/errata/RHSA-2019:3200
- https://access.redhat.com/errata/RHSA-2020:0159
- https://access.redhat.com/errata/RHSA-2020:0160
- https://access.redhat.com/errata/RHSA-2020:0161
- https://access.redhat.com/errata/RHSA-2020:0164
- https://access.redhat.com/errata/RHSA-2020:0445
- https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
- https://github.com/FasterXML/jackson-databind/issues/2410
- https://github.com/FasterXML/jackson-databind/issues/2449
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb%40%3Ccommits.hbase.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
- https://seclists.org/bugtraq/2019/Oct/6
- https://security.netapp.com/advisory/ntap-20191004-0002/
- https://www.debian.org/security/2019/dsa-4542
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:3200
- https://access.redhat.com/errata/RHSA-2020:0159
- https://access.redhat.com/errata/RHSA-2020:0160
- https://access.redhat.com/errata/RHSA-2020:0161
- https://access.redhat.com/errata/RHSA-2020:0164
- https://access.redhat.com/errata/RHSA-2020:0445
- https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
- https://github.com/FasterXML/jackson-databind/issues/2410
- https://github.com/FasterXML/jackson-databind/issues/2449
- https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb%40%3Ccommits.hbase.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
- https://seclists.org/bugtraq/2019/Oct/6
- https://security.netapp.com/advisory/ntap-20191004-0002/
- https://www.debian.org/security/2019/dsa-4542
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
