Service Notices
[Alert] Remote Command Execution Vulnerability of Jackson Databind (CVE-2019-12384)
Jul 25, 2019 GMT+08:00
I. Overview
HUAWEI CLOUD has recently noticed that a deserialization remote command execution vulnerability (CVE-2019-12384) of jackson-databind has been disclosed. This vulnerability is caused by incomplete blacklist filtering of jackson-databind. Attackers can construct JSON data packets containing malicious code to attack applications, causing remote command execution.
FasterXML Jackson is a Java data processing tool developed by FasterXML. Jackson Databind is one of the core components that have the data binding function.
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Jackson-databind between 2.0.0 and 2.9.9.1 are affected.
Jackson-databind later than 2.9.9.1 are not affected.
IV: Workarounds
This vulnerability has been fixed in 2.9.9.1 or later versions. Upgrade the component to 2.9.9.1 or later versions as soon as possible.
Download address: https://github.com/FasterXML/jackson-databind/releases
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.