CVE-2019-14893: 
Java vulnerability analysis and mitigation

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods. The vulnerability was discovered in 2019 and assigned identifier CVE-2019-14893. The vulnerability affects applications using jackson-databind library with specific configurations that enable polymorphic type handling (CVE-MITRE).

The vulnerability occurs when using polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS, or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. The vulnerability specifically involves the xalan JNDI gadget that can be exploited when deserializing objects (BUGZILLA).

A successful exploitation of this vulnerability could lead to arbitrary code execution. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL), indicating the highest severity level with potential for complete compromise of affected systems (NETAPP-ADVISORY).

The vulnerability has been fixed in jackson-databind versions 2.9.10 and 2.10.0. Organizations should upgrade to these or later versions to address the vulnerability. If immediate upgrading is not possible, it is recommended to avoid deserialization from untrusted sources and disable polymorphic type handling features (GITHUB-ISSUE).

Multiple vendors and organizations responded to this vulnerability by releasing security advisories and patches, including Red Hat, NetApp, and Oracle. Red Hat rated this update as having a security impact of Important, while NetApp classified it as Critical with a CVSS score of 9.8 (NETAPP-ADVISORY, REDHAT-BUGZILLA).