Skip to content

Commit aefa025

Browse files
ablekhmanablekhman
committed
Block one more gadget type (oracle-jdbc, CVE-2018-12023)
Merged from FasterXML/jackson-databind#2058
1 parent 437750a commit aefa025

File tree

2 files changed

+5
-1
lines changed

2 files changed

+5
-1
lines changed

release-notes/VERSION

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,8 @@ One more patch release for 1.9.
2222
* [databind#1855]: Blacklist for more serialization gadgets (dbcp/tomcat, spring)
2323
* [databind#1931]: Two more `c3p0` gadgets to exploit default typing issue
2424
* [databind#2032]: Blacklist another serialization gadget (ibatis)
25-
* [databind#2052]: Block one more gadget type (jodd-db, CVE-2018-12022)
25+
* [databind#2052]: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
26+
* [databind#2058]: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
2627

2728
1.9.13 (14-Jul-2013)
2829

src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,9 @@ public class SubTypeValidator
6060
// [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
6161
// and access attempt is made:
6262
s.add("jodd.db.connection.DataSourceConnectionProvider");
63+
// [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
64+
s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
65+
s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
6366

6467
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
6568
}

0 commit comments

Comments
 (0)