CVE-2019-14379

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.7.0 through 2.7.9.5 jackson-databind versions 2.8.0 through 2.8.11.3 jackson-databind versions 2.9.0 through 2.9.9.1

Description The issue is related to the mishandling of default typing in the SubTypeValidator.java file when ehcache is used, due to the net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup. This can lead to remote code execution. The vulnerability is associated with the restoration of untrusted data structures in memory, allowing a remote attacker to execute arbitrary code.

Recommendations For jackson-databind versions 2.7.0 through 2.7.9.5, update to version 2.7.9.6 or later. For jackson-databind versions 2.8.0 through 2.8.11.3, update to version 2.8.11.4 or later. For jackson-databind versions 2.9.0 through 2.9.9.1, update to version 2.9.9.2 or later. As a temporary workaround, consider disabling the use of ehcache until a patch is available. Restrict access to the SubTypeValidator.java file to minimize the risk of exploitation. Avoid using the net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup class in the affected jackson-databind versions until the issue is resolved.