From 8438b6f5db04349608c41b8af1001751537f13e3 Mon Sep 17 00:00:00 2001
From: Alex Blekhman <ablekhman@atlassian.com>
Date: Wed, 23 Oct 2019 09:40:32 +1100
Subject: [PATCH] Another two gadgets to exploit default typing issue in
 jackson-databind (CVE-2018-5968)

Merged from FasterXML/jackson-databind#1899
---
 release-notes/VERSION                                          | 1 +
 .../codehaus/jackson/map/jsontype/impl/SubTypeValidator.java   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/release-notes/VERSION b/release-notes/VERSION
index b1739fdad..c15a04d1a 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -24,6 +24,7 @@ One more patch release for 1.9.
 * [databind#2032]: Blacklist another serialization gadget (ibatis)
 * [databind#2052]: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
 * [databind#2058]: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
+* [databind#1899]: Another two gadgets to exploit default typing issue in jackson-databind (reported by OneSourceCat@github)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
index 34ad09be3..3e3cf7098 100644
--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -63,6 +63,9 @@ public class SubTypeValidator
         // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
         s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+        // [databind#1899]: more 3rd party
+        s.add("org.hibernate.jmx.StatisticsService");
+        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }