CVE-2019-12384: Jackson-databind Remote Code Execution Vulnerability Alert

Recently, a security agent analyzed a vulnerability in Jackson-databind (CVE-2019-12384) and found that when certain conditions are met, an attacker can bypass the blacklist restriction by sending a malicious request packet, so can get remote code execution on the affected server.

Jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on Streaming API (stream parser/generator) package, and uses Jackson Annotations for configuration.

While the original use case for Jackson was JSON data-binding, it can now be used for other data formats as well, as long as parser and generator implementations exist. Naming of classes uses word ‘JSON’ in many places even though there is no actual hard dependency to JSON format.

Image: doyensec

Affected version

  • Jackson-databind 2.x <= 2.9.9

Unaffected version

  • Jackson-databind 2.9.9.1

solution

The FasterXML has fixed the vulnerability in version 2.9.9.1, please upgrade Jackson-databind as soon as possible.