CVE-2019-17531

Q: What is the severity of CVE-2019-17531?

CVE-2019-17531 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote code execution via Java deserialization in Jackson databind when Default Typing is enabled and the apache-log4j-extra library is present. Attackers can exploit JNDI injection to execute arbitrary code on affected systems. Organizations using Jackson databind 2.0.0 through 2.9.10 with vulnerable configurations are at risk.

9.8 CRITICAL

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote code execution via Java deserialization in Jackson databind when Default Typing is enabled and the apache-log4j-extra library is present. Attackers can exploit JNDI injection to execute arbitrary code on affected systems. Organizations using Jackson databind 2.0.0 through 2.9.10 with vulnerable configurations are at risk.

💻 Affected Systems

Products:

FasterXML jackson-databind

Versions: 2.0.0 through 2.9.10

Operating Systems: All operating systems running Java

Default Config Vulnerable: ✅ No

Notes: Requires Default Typing enabled (globally or per property) AND apache-log4j-extra 1.2.x in classpath AND ability to reach attacker-controlled JNDI service

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data exfiltration, service disruption, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal privileges, and security controls preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific configuration conditions but has been weaponized in real attacks

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.10.1 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2387

Restart Required: Yes

Instructions:

1. Update jackson-databind to version 2.9.10.1 or later. 2. Remove apache-log4j-extra 1.2.x from classpath if not needed. 3. Restart affected applications.

🔧 Temporary Workarounds

Disable Default Typing

all

Disable Default Typing configuration in Jackson databind to prevent polymorphic deserialization

Configure ObjectMapper with disableDefaultTyping() or avoid @JsonTypeInfo annotations

Remove vulnerable dependency

all

Remove apache-log4j-extra 1.2.x from classpath if not required

Remove log4j-extras-1.2.x.jar from application classpath

🧯 If You Can't Patch

Implement strict network controls to block outbound LDAP/RMI connections from affected systems
Apply the Java property 'com.sun.jndi.ldap.object.trustURLCodebase=false' to disable remote codebase loading

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for jackson-databind versions 2.0.0-2.9.10 and log4j-extras 1.2.x presence

Check Version:

mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databind

Verify Fix Applied:

Verify jackson-databind version is 2.9.10.1+ and log4j-extras is removed or updated

📡 Detection & Monitoring

Log Indicators:

JNDI lookup attempts
Unexpected class loading
Deserialization errors

Network Indicators:

Outbound LDAP/RMI connections to suspicious IPs
Unusual Java serialization traffic

SIEM Query:

source="application.log" AND ("JNDI" OR "lookup" OR "InitialContext")

📊 Metadata

CVE ID: CVE-2019-17531

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 12, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2019:4192 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445 Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2498 Patch,Third Party Advisory
https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20191024-0005/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4192 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445 Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2498 Patch,Third Party Advisory
https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html Mailing List,Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20191024-0005/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Communications Billing And Revenue Management by Oracle

Communications Billing And Revenue Management by Oracle

Communications Calendar Server by Oracle

Communications Calendar Server by Oracle

Communications Cloud Native Core Network Slice Selection Function by Oracle

Communications Evolved Communications Application Server by Oracle

Debian Linux by Debian

Global Lifecycle Management Nextgen Oui Framework by Oracle

Global Lifecycle Management Nextgen Oui Framework by Oracle

Global Lifecycle Management Nextgen Oui Framework by Oracle

Goldengate Application Adapters by Oracle

Jackson Databind by Fasterxml

Jackson Databind by Fasterxml

Jackson Databind by Fasterxml

Jboss Enterprise Application Platform by Redhat

Jboss Enterprise Application Platform by Redhat

Jd Edwards Enterpriseone Orchestrator by Oracle

Jd Edwards Enterpriseone Tools by Oracle

Oncommand Workflow Automation by Netapp

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Retail Merchandising System by Oracle

Retail Merchandising System by Oracle

Retail Merchandising System by Oracle

Retail Sales Audit by Oracle

Siebel Engineering Installer \& Deployment by Oracle

Steelstore Cloud Integrated Storage by Netapp

Trace File Analyzer by Oracle

Trace File Analyzer by Oracle

Trace File Analyzer by Oracle

Webcenter Portal by Oracle

Webcenter Portal by Oracle

Webcenter Sites by Oracle

Webcenter Sites by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Default Typing

Remove vulnerable dependency

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities