CVE-2019-17531

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.1810%

EPSS Percentile40.72th

Published2019年10月12日

Last Modified2024年11月21日

Vulnerability Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Affected Platforms (CPE)

📦

Fasterxml

Jackson Databind

>= 2.0.0 and < 2.6.7.3

📦

Fasterxml

Jackson Databind

>= 2.7.0 and < 2.8.11.5

📦

Fasterxml

Jackson Databind

>= 2.9.0 and < 2.9.10.1

💻

Debian

Debian Linux

= 8.0

📦

Redhat

Jboss Enterprise Application Platform

= 7.2

📦

Redhat

Jboss Enterprise Application Platform

= 7.3

📦

Oracle

Banking Platform

= 2.4.0

📦

Oracle

Banking Platform

= 2.4.1

📦

Oracle

Banking Platform

= 2.5.0

📦

Oracle

Banking Platform

= 2.6.0

📦

Oracle

Banking Platform

= 2.6.1

📦

Oracle

Banking Platform

= 2.6.2

📦

Oracle

Banking Platform

= 2.7.0

📦

Oracle

Banking Platform

= 2.7.1

📦

Oracle

Banking Platform

= 2.9.0

📦

Oracle

Communications Billing And Revenue Management

= 7.5.0.23.0

📦

Oracle

Communications Billing And Revenue Management

= 12.0.0.3.0

📦

Oracle

Communications Calendar Server

= 8.0.0.2.0

📦

Oracle

Communications Calendar Server

= 8.0.0.3.0

📦

Oracle

Communications Cloud Native Core Network Slice Selection Function

= 1.2.1

📦

Oracle

Communications Evolved Communications Application Server

= 7.1

📦

Oracle

Global Lifecycle Management Nextgen Oui Framework

= 12.2.1.3.0

📦

Oracle

Global Lifecycle Management Nextgen Oui Framework

= 12.2.1.4.0

📦

Oracle

Global Lifecycle Management Nextgen Oui Framework

= 13.9.4.2.2

📦

Oracle

Goldengate Application Adapters

= 19.1.0.0.0

📦

Oracle

Jd Edwards Enterpriseone Orchestrator

= 9.2

📦

Oracle

Jd Edwards Enterpriseone Tools

= 9.2

📦

Oracle

Primavera Gateway

>= 17.7 and <= 17.12.6

📦

Oracle

Primavera Gateway

>= 18.8.0 and <= 18.8.8

📦

Oracle

Primavera Gateway

= 16.1

📦

Oracle

Primavera Gateway

= 16.2

📦

Oracle

Primavera Gateway

= 19.12.0

📦

Oracle

Retail Merchandising System

= 15.0.3

📦

Oracle

Retail Merchandising System

= 16.0.2

📦

Oracle

Retail Merchandising System

= 16.0.3

📦

Oracle

Retail Sales Audit

= 14.1

📦

Oracle

Siebel Engineering Installer \& Deployment

<= 2.20.5

📦

Oracle

Trace File Analyzer

= 12.2.0.1

📦

Oracle

Trace File Analyzer

= 18c

📦

Oracle

Trace File Analyzer

= 19c

📦

Oracle

Webcenter Portal

= 12.2.1.3.0

📦

Oracle

Webcenter Portal

= 12.2.1.4.0

📦

Oracle

Webcenter Sites

= 12.2.1.3.0

📦

Oracle

Webcenter Sites

= 12.2.1.4.0

📦

Oracle

Weblogic Server

= 12.2.1.3.0

📦

Oracle

Weblogic Server

= 12.2.1.4.0

📦

Netapp

Oncommand Workflow Automation

All versions

📦

Netapp

Steelstore Cloud Integrated Storage

All versions

References & Advisories

🔗 https://access.redhat.com/errata/RHSA-2019:4192

🔗 https://access.redhat.com/errata/RHSA-2020:0159

🔗 https://access.redhat.com/errata/RHSA-2020:0160

🔗 https://access.redhat.com/errata/RHSA-2020:0161

🔗 https://access.redhat.com/errata/RHSA-2020:0164

🔗 https://access.redhat.com/errata/RHSA-2020:0445

🔗 https://github.com/FasterXML/jackson-databind/issues/2498

🔗 https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5%40%3Ccommits.pulsar.apache.org%3E

Vulnerability Description

Affected Platforms (CPE)

Jackson Databind

Jackson Databind

Jackson Databind

Debian Linux

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Banking Platform

Banking Platform

Banking Platform

Banking Platform

Banking Platform

Banking Platform

Banking Platform

Banking Platform

Banking Platform

Communications Billing And Revenue Management

Communications Billing And Revenue Management

Communications Calendar Server

Communications Calendar Server

Communications Cloud Native Core Network Slice Selection Function

Communications Evolved Communications Application Server

Global Lifecycle Management Nextgen Oui Framework

Global Lifecycle Management Nextgen Oui Framework

Global Lifecycle Management Nextgen Oui Framework

Goldengate Application Adapters

Jd Edwards Enterpriseone Orchestrator

Jd Edwards Enterpriseone Tools

Primavera Gateway

Primavera Gateway

Primavera Gateway

Primavera Gateway

Primavera Gateway

Retail Merchandising System

Retail Merchandising System

Retail Merchandising System

Retail Sales Audit

Siebel Engineering Installer \& Deployment

Trace File Analyzer

Trace File Analyzer

Trace File Analyzer

Webcenter Portal

Webcenter Portal

Webcenter Sites

Webcenter Sites

Weblogic Server

Weblogic Server

Oncommand Workflow Automation

Steelstore Cloud Integrated Storage

References & Advisories

相关漏洞威胁