diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 1c5313f785..7ebd14d314 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -24,6 +24,7 @@ Project: jackson-databind
   (reported by kingkk)
 #2460: Block one mode gadget type (ehcache, no CVE allocated yet)
   (reported by Fei Lu)
+#2462: Block two more gadget types (commons-configuration)
 
 2.9.9 (16-May-2019)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 092c6273eb..81d477e1e6 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -104,7 +104,11 @@ public class SubTypeValidator
 
         // [databind#2420]: CXF/JAX-RS provider/XSLT
         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
-        
+
+        // [databind#2462]: commons-configuration / -2
+        s.add("org.apache.commons.configuration.JNDIConfiguration");
+        s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }