Fix #2186

FasterXML · Nov 20, 2018 · 72cd402 · 72cd402
1 parent 26dba44
commit 72cd402
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -7,8 +7,12 @@ Project: jackson-databind
 
 #2097: Block more classes from polymorphic deserialization (CVE-2018-14718
   - CVE-2018-14721)
+ (reported by Guixiong Wu)
 #2109: Canonical string for reference type is built incorrectly
  (reported by svarzee@github)
+#2186: Block more classes from polymorphic deserialization (CVE-2018-19360,
+  CVE-2018-19361, CVE-2018-19362)
+ (reported by Guixiong Wu)
 
 2.8.11.2 (08-Jun-2018)
 

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -76,6 +76,12 @@ public class SubTypeValidator
         s.add("com.sun.deploy.security.ruleset.DRSHelper");
         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
 
+        // [databind#2186]: yet more 3rd party gadgets
+        s.add("org.jboss.util.propertyeditor.DocumentEditor");
+        s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+        s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
+        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }