Block one more gadget type (oracle-jdbc, CVE-2018-12023)

Merged from FasterXML/jackson-databind#2058
atlassian · Oct 22, 2019 · aefa025 · aefa025
1 parent 437750a
commit aefa025
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -22,7 +22,8 @@ One more patch release for 1.9.
 * [databind#1855]: Blacklist for more serialization gadgets (dbcp/tomcat, spring)
 * [databind#1931]: Two more `c3p0` gadgets to exploit default typing issue
 * [databind#2032]: Blacklist another serialization gadget (ibatis)
-* [databind#2052]: Block one more gadget type (jodd-db, CVE-2018-12022)
+* [databind#2052]: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
+* [databind#2058]: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
 
 1.9.13 (14-Jul-2013)
 

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -60,6 +60,9 @@ public class SubTypeValidator
         // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
         //   and access attempt is made:
         s.add("jodd.db.connection.DataSourceConnectionProvider");
+        // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
+        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+        s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }