Service Notices

All Notices > Security Notices > [Alert] Remote Command Execution Vulnerability of Jackson Databind (CVE-2019-12384)

[Alert] Remote Command Execution Vulnerability of Jackson Databind (CVE-2019-12384)

Jul 25, 2019 GMT+08:00

I. Overview

HUAWEI CLOUD has recently noticed that a deserialization remote command execution vulnerability (CVE-2019-12384) of jackson-databind has been disclosed. This vulnerability is caused by incomplete blacklist filtering of jackson-databind. Attackers can construct JSON data packets containing malicious code to attack applications, causing remote command execution.

FasterXML Jackson is a Java data processing tool developed by FasterXML. Jackson Databind is one of the core components that have the data binding function.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Jackson-databind between 2.0.0 and 2.9.9.1 are affected.

Jackson-databind later than 2.9.9.1 are not affected.

IV: Workarounds

This vulnerability has been fixed in 2.9.9.1 or later versions. Upgrade the component to 2.9.9.1 or later versions as soon as possible.

Download address: https://github.com/FasterXML/jackson-databind/releases

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.