CVE-2019-12017

Name of the Vulnerable Software and Affected Versions MapR core platform (affected versions not specified)

Description A remote code execution issue exists in the MapR CLDB code, specifically in the JSON framework used for login and ticket issuance. An attacker can manipulate the class property of a JSON request to influence the JSON library's deserialization decision, forcing the MapR CLDB to load a malicious Java class from a remote path and execute arbitrary code on the machine running the MapR CLDB, potentially taking over the cluster.

Recommendations To resolve this issue, switch to the newer Jackson library and ensure that all incoming JSON requests are only deserialized to the same class that it was serialized from.