I. Overview

HUAWEI CLOUD has recently noticed that a deserialization remote command execution vulnerability (CVE-2019-14439) of jackson-databind has been disclosed. This vulnerability can bypass the vulnerability CVE-2019-12384. Attackers can construct request packets containing malicious code to attack affected Jackson servers, causing remote command execution. FasterXML Jackson is a Java data processing tool developed by FasterXML. Jackson Databind is one of the core components that have the data binding function.

Reference links:

https://github.com/FasterXML/jackson-databind/issues/2389

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Jackson-databind versions earlier than 2.9.9.2

Jackson-databind versions earlier than 2.10.0

Jackson-databind versions earlier than 2.7.9.6

Jackson-databind versions earlier than 2.8.11.4

Secure versions:

Jackson-databind 2.9.9.2 and later

Jackson-databind 2.10.0 and later

Jackson-databind 2.7.9.6 and later

Jackson-databind 2.8.11.4 and later

IV: Workarounds

Upgrade to the latest version of Jackson-databind.

Download address: http://central.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.