Block one more gadget type (ignite-jta, CVE-2020-10650)

mtokarski-atlassian · mtokarski-atlassian · commit 86bdda086731 · 2020-05-08T10:56:23.000+02:00
Merged from FasterXML/jackson-databind#2658
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -53,6 +53,7 @@ One more patch release for 1.9.
 * [databind#2642]: Block one more gadget type (javax.swing, CVE-2020-10969)
 * [databind#2648]: Block one more gadget type (shiro-core)
 * [databind#2653]: Block one more gadget type (shiro-core, 2nd class)
+* [databind#2658]: Block one more gadget type (ignite-jta, CVE-2020-10650)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -122,6 +122,11 @@ public class SubTypeValidator
         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
         s.add("org.apache.shiro.jndi.JndiObjectFactory");
 
+        // [databind#2658]: ignite-jta (, quartz-core)
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
+        s.add("org.quartz.utils.JNDIConnectionProvider");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
