CVE-2019-16942

Q: What is the severity of CVE-2019-16942?

CVE-2019-16942 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote code execution via Java deserialization in Jackson databind when Default Typing is enabled and commons-dbcp is in the classpath. Attackers can exploit this to execute arbitrary code on vulnerable systems. Affected systems include any application using Jackson databind 2.0.0 through 2.9.10 with commons-dbcp 1.4 and exposed JSON endpoints.

9.8 CRITICAL

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote code execution via Java deserialization in Jackson databind when Default Typing is enabled and commons-dbcp is in the classpath. Attackers can exploit this to execute arbitrary code on vulnerable systems. Affected systems include any application using Jackson databind 2.0.0 through 2.9.10 with commons-dbcp 1.4 and exposed JSON endpoints.

💻 Affected Systems

Products:

FasterXML jackson-databind

Versions: 2.0.0 through 2.9.10

Operating Systems: All platforms running Java

Default Config Vulnerable: ✅ No

Notes: Requires Default Typing enabled (globally or per property) AND commons-dbcp 1.4 in classpath AND exposed JSON endpoint

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution allowing attackers to install backdoors, exfiltrate data, or pivot to other systems.

🟢

If Mitigated

Limited impact if proper network segmentation, input validation, and security controls prevent exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires finding RMI service endpoint and crafting malicious payload

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.10.1 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2387

Restart Required: Yes

Instructions:

1. Update jackson-databind to version 2.9.10.1 or later. 2. Update commons-dbcp to version 2.0 or later. 3. Restart affected applications.

🔧 Temporary Workarounds

Disable Default Typing

all

Disable Default Typing globally and for all properties in Jackson configuration

Configure ObjectMapper with disableDefaultTyping()

Remove commons-dbcp

all

Remove or update commons-dbcp library from classpath

Remove commons-dbcp-1.4.jar from application classpath

🧯 If You Can't Patch

Implement strict network controls to limit access to JSON endpoints
Use application firewalls to filter malicious JSON payloads

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for jackson-databind version 2.0.0-2.9.10 and commons-dbcp 1.4

Check Version:

mvn dependency:tree | grep jackson-databind && mvn dependency:tree | grep commons-dbcp

Verify Fix Applied:

Verify jackson-databind version is 2.9.10.1+ and commons-dbcp is 2.0+

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors
Unexpected RMI connections
Class loading exceptions

Network Indicators:

Suspicious JSON payloads to endpoints
RMI traffic to unexpected destinations

SIEM Query:

source="application.logs" AND ("jackson" OR "deserialization") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2019-16942

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 1, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2019:3901 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445 Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2478 Patch,Third Party Advisory
https://issues.apache.org/jira/browse/GEODE-7255 Issue Tracking,Third Party Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6 Issue Tracking,Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0006/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4542 Mailing List,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3901 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445 Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2478 Patch,Third Party Advisory
https://issues.apache.org/jira/browse/GEODE-7255 Issue Tracking,Third Party Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6 Issue Tracking,Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0006/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4542 Mailing List,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Communications Billing And Revenue Management by Oracle

Communications Billing And Revenue Management by Oracle

Communications Calendar Server by Oracle

Communications Calendar Server by Oracle

Communications Cloud Native Core Network Slice Selection Function by Oracle

Communications Evolved Communications Application Server by Oracle

Database Server by Oracle

Database Server by Oracle

Database Server by Oracle

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Global Lifecycle Management Nextgen Oui Framework by Oracle

Global Lifecycle Management Nextgen Oui Framework by Oracle

Global Lifecycle Management Nextgen Oui Framework by Oracle

Goldengate Application Adapters by Oracle

Jackson Databind by Fasterxml

Jackson Databind by Fasterxml

Jackson Databind by Fasterxml

Jboss Enterprise Application Platform by Redhat

Jboss Enterprise Application Platform by Redhat

Jd Edwards Enterpriseone Orchestrator by Oracle

Jd Edwards Enterpriseone Tools by Oracle

Oncommand Api Services by Netapp

Oncommand Workflow Automation by Netapp

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Retail Merchandising System by Oracle

Retail Merchandising System by Oracle

Retail Merchandising System by Oracle

Retail Sales Audit by Oracle

Service Level Manager by Netapp

Siebel Engineering Installer \& Deployment by Oracle

Siebel Ui Framework by Oracle

Siebel Ui Framework by Oracle

Steelstore Cloud Integrated Storage by Netapp

Webcenter Portal by Oracle

Webcenter Portal by Oracle

Webcenter Sites by Oracle

Webcenter Sites by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Default Typing

Remove commons-dbcp

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version: