CVE-2018-14719

Published: Jan 2, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Affected (54)

Products: Fasterxml: Jackson Databind · Debian: Debian Linux · Oracle: Banking Platform, Business Process Management Suite, Clusterware, Communications Billing And Revenue Management, Database Server, Enterprise Manager For Virtualization, Financial Services Analytical Applications Infrastructure, Global Lifecycle Management Opatch, Jdeveloper, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier, Retail Merchandising System, Retail Workforce Management Software, Webcenter Portal · +2 more

Show all products

1 product

1 product

14 products

Business Process Management Suite

Clusterware

Communications Billing And Revenue Management

Database Server

Enterprise Manager For Virtualization

Financial Services Analytical Applications Infrastructure

Global Lifecycle Management Opatch

Jdeveloper

Primavera P6 Enterprise Project Portfolio Management

Primavera Unifier

Retail Merchandising System

Retail Workforce Management Software

Webcenter Portal

Redhat

1 product

Openshift Container Platform

Netapp

3 products

Oncommand Workflow Automation

Snapcenter

Steelstore Cloud Integrated Storage

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	From 2.0.0 to 2.6.7.3
Fasterxml Jackson Databind	From 2.7.0 to 2.7.9.5
Fasterxml Jackson Databind	From 2.8.0 to 2.8.11.3
Fasterxml Jackson Databind	From 2.9.0 to 2.9.7

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

42 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Platform	Version 2.5.0
Oracle Banking Platform	Version 2.6.0
Oracle Banking Platform	Version 2.6.1
Oracle Banking Platform	Version 2.6.2
Oracle Business Process Management Suite	Version 12.1.3.0.0
Oracle Business Process Management Suite	Version 12.2.1.3.0
Oracle Clusterware	Version 12.1.0.2.0
Oracle Communications Billing And Revenue Management	Version 12.0
Oracle Communications Billing And Revenue Management	Version 7.5
Oracle Database Server	Version 11.2.0.4
Oracle Database Server	Version 12.1.0.2
Oracle Database Server	Version 12.2.0.1
Oracle Database Server	Version 18c
Oracle Database Server	Version 19c
Oracle Enterprise Manager For Virtualization	Version 13.2.2
Oracle Enterprise Manager For Virtualization	Version 13.2.3
Oracle Enterprise Manager For Virtualization	Version 13.3.1
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.2
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.3
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.4
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.5
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.6
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.7
Oracle Global Lifecycle Management Opatch	Before 11.2.0.3.23
Oracle Global Lifecycle Management Opatch	From 12.2.0.1.0 to 12.2.0.1.19
Oracle Global Lifecycle Management Opatch	From 13.9.4.0.0 to 13.9.4.2.1
Oracle Jdeveloper	Version 12.1.3.0.0
Oracle Jdeveloper	Version 12.2.1.3.0
Oracle Primavera P6 Enterprise Project Portfolio Management	From 17.7 to 17.12
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 15.1
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 15.2
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 16.1
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 16.2
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 18.8
Oracle Primavera Unifier	From 17.7 to 17.12
Oracle Primavera Unifier	Version 16.1
Oracle Primavera Unifier	Version 16.2
Oracle Primavera Unifier	Version 18.8
Oracle Retail Merchandising System	Version 15.0
Oracle Retail Merchandising System	Version 16.0
Oracle Retail Workforce Management Software	Version 1.60.9.0.0
Oracle Webcenter Portal	Version 12.2.1.3.0

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	From 3.11 to 3.11.153
Redhat Openshift Container Platform	From 4.6 to 4.6.26

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	From 4.1 to 4.1.18

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 7.0

Configuration F

3 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Workflow Automation	All versions
Netapp Snapcenter	All versions
Netapp Steelstore Cloud Integrated Storage	All versions

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (62)

https://access.redhat.com/errata/RHBA-2019:0959

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0782

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0877

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1782

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1797

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1822

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1823

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2804

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2858

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3002

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3140

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3149

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3892

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:4037

Source: cve@mitre.org

Third Party Advisory

https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2097

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

Source: cve@mitre.org

PatchRelease NotesThird Party Advisory

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://seclists.org/bugtraq/2019/May/68

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20190530-0003/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4452

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: cve@mitre.org

PatchThird Party Advisory

https://access.redhat.com/errata/RHBA-2019:0959