Skip to content

Commit

Permalink
Block one more gadget type (oracle-jdbc, CVE-2018-12023)
Browse files Browse the repository at this point in the history
  • Loading branch information
ablekhman committed Oct 22, 2019
1 parent 437750a commit aefa025
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
3 changes: 2 additions & 1 deletion release-notes/VERSION
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ One more patch release for 1.9.
* [databind#1855]: Blacklist for more serialization gadgets (dbcp/tomcat, spring)
* [databind#1931]: Two more `c3p0` gadgets to exploit default typing issue
* [databind#2032]: Blacklist another serialization gadget (ibatis)
* [databind#2052]: Block one more gadget type (jodd-db, CVE-2018-12022)
* [databind#2052]: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
* [databind#2058]: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver

1.9.13 (14-Jul-2013)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ public class SubTypeValidator
// [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
// and access attempt is made:
s.add("jodd.db.connection.DataSourceConnectionProvider");
// [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
s.add("oracle.jdbc.rowset.OracleJDBCRowSet");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
Expand Down

0 comments on commit aefa025

Please sign in to comment.