Vulnerability Name: CVE-2019-16335 (CCN-167205) Assigned: 2019-09-11 Published: 2019-09-11 Updated: 2021-02-22 Summary: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540 . CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-502 CWE-200 Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2019-16335 RHSA-2019:3200 RHSA-2020:0159 RHSA-2020:0160 RHSA-2020:0161 RHSA-2020:0164 RHSA-2020:0445 RHSA-2020:0729 fasterxml-cve201916335-info-disc(167205) Block one more gadget type (HikariCP, CVE-2019-14439) #2449 https://github.com/FasterXML/jackson-databind/issues/2449 [tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues [hbase-issues] 20190925 [GitHub] [hbase] SteNicholas opened a new pull request #660: HBASE-23075 Upgrade jackson version [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities [hbase-issues] 20190926 [GitHub] [hbase-connectors] SteNicholas opened a new pull request #45: HBASE-23075 Upgrade jackson version [hbase-issues] 20190926 [jira] [Commented] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540 [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html [hbase-issues] 20190926 [jira] [Updated] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540 [hbase-commits] 20190927 [hbase-connectors] 02/02: HBASE-23075 Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540 [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html [geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12 [debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security update FEDORA-2019-cf87377f5f FEDORA-2019-b171554877 20191007 [SECURITY] [DSA 4542-1] jackson-databind security update https://security.netapp.com/advisory/ntap-20191004-0002/ Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities DSA-4542 IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind Vulnerability affecting IBM Network Performance Insight (CVE-2019-16335) Multiple vulnerabilities in FasterXML Jackson-databind affect IBM Spectrum Protect Plus (CVE-2019-16943, CVE-2019-16942, CVE-2019-17531, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14379, CVE-2019-14439) Multiple security vulnerabilities have been Identified In Jackson Databind library shipped with IBM Global Mailbox Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities IBM Data Risk Manager is affected by multiple vulnerabilities Multiple vulnerabilities affects IBM Jazz Foundation and IBM Engineering products. IBM Security Guardium Insights is affected by Components with known vulnerabilities IBM Data Risk Manager is affected by multiple vulnerabilities IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020 Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis Jackson-Databind Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis Multiple CVEs affect IBM Integration Designer IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. N/A https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html Oracle Critical Patch Update Advisory - October 2020 https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Vulnerable Configuration: Configuration 1 :cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.6.0 and < 2.6.7.3)OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.8.0 and < 2.8.11.5) OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.9.0 and < 2.9.10) Configuration 2 :cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:* Configuration 3 :cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:* Configuration 4 :cpe:/a:netapp:oncommand_api_services:-:*:*:*:*:*:*:* OR cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* OR cpe:/a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:* Configuration 5 :cpe:/a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:* OR cpe:/a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:* AND cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* Configuration 6 :cpe:/a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (Version >= 8.0.2 and <= 8.0.8) OR cpe:/a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:* (Version < 11.2.0.3.23) OR cpe:/a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:* (Version >= 12.2.0.1.0 and < 12.2.0.1.19) OR cpe:/a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:* (Version >= 13.9.4.0.0 and < 13.9.4.2.1) OR cpe:/a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:* (Version < 19.1.0.0.1) OR cpe:/a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12) OR cpe:/a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* Configuration RedHat 1 :cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:* Configuration CCN 1 :cpe:/a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:* AND cpe:/a:ibm:maximo_asset_management:7.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:event_streams:2019.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* Oval Definitions BACK
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
fedoraproject fedora 30
fedoraproject fedora 31
debian debian linux 8.0
debian debian linux 9.0
debian debian linux 10.0
netapp oncommand api services -
netapp oncommand workflow automation -
netapp steelstore cloud integrated storage -
redhat jboss enterprise application platform 7.2
redhat jboss enterprise application platform 7.3
redhat enterprise linux 6.0
redhat enterprise linux 7.0
redhat enterprise linux 8.0
oracle banking platform 2.4.0
oracle banking platform 2.4.1
oracle banking platform 2.5.0
oracle banking platform 2.6.0
oracle banking platform 2.6.1
oracle banking platform 2.7.0
oracle banking platform 2.7.1
oracle customer management and segmentation foundation 18.0
oracle financial services analytical applications infrastructure *
oracle global lifecycle management opatch *
oracle global lifecycle management opatch *
oracle global lifecycle management opatch *
oracle goldengate application adapters 19.1.0.0.0
oracle goldengate stream analytics *
oracle primavera gateway 15.2
oracle primavera gateway 16.1
oracle primavera gateway 16.2
oracle primavera gateway *
oracle primavera gateway 18.8.0
oracle retail customer management and segmentation foundation 17.0
oracle retail xstore point of service 7.1
oracle retail xstore point of service 15.0
oracle retail xstore point of service 16.0
oracle retail xstore point of service 17.0
oracle retail xstore point of service 18.0
oracle weblogic server 12.2.1.3.0
fasterxml jackson-databind 2.9.9.1
ibm maximo asset management 7.6.0
ibm rational rhapsody design manager 6.0.2
ibm spectrum protect plus 10.1.0
ibm maximo asset management 7.6.1
ibm sterling b2b integrator 6.0.0.0
ibm sterling b2b integrator 5.2.0.0
ibm sterling b2b integrator 6.0.1.0
ibm event streams 2019.2.1
ibm watson discovery 1.0.0
ibm watson discovery 2.0.1
ibm spectrum protect plus 10.1.5
ibm data risk manager 2.0.1
ibm data risk manager 2.0.2
ibm data risk manager 2.0.3
ibm data risk manager 2.0.4
ibm data risk manager 2.0.5
ibm data risk manager 2.0.6
ibm sterling b2b integrator 6.0.3.1
ibm security identity governance and intelligence 5.2.6
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm log analysis 1.3.1
ibm log analysis 1.3.2
ibm log analysis 1.3.3
ibm log analysis 1.3.4
ibm log analysis 1.3.5
ibm log analysis 1.3.6
ibm data risk manager 2.0.6.1
ibm data risk manager 2.0.6.2
ibm security guardium insights 2.0.1
ibm log analysis 1.3.6.1
ibm sterling b2b integrator 6.1.0.0
ibm integration designer 20.0.0.2
ibm security verify governance 10.0
Denotes that component is vulnerable