Fix #2498

cowtowncoder · cowtowncoder · commit b5a304a98590 · 2019-10-12T11:00:17.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -14,7 +14,8 @@ Unreleased but backported
 #2460: Block one more gadget type (ehcache, CVE-2019-17267)
 #2462: Block two more gadget types (commons-configuration)
 #2469: Block one more gadget type (xalan2)
-#2478: Block two more gadget types (commons-dbcp, p6spy)
+#2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
+#2498: Block one more gadget type (log4j-extras/1.2)
 
 2.8.11.4 (25-Jul-2019)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -119,6 +119,10 @@ public class SubTypeValidator
         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
         s.add("com.p6spy.engine.spy.P6DataSource");
 
+        // [databind#2498]: log4j-extras (1.2)
+        s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
+        s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,10 @@ public class SubTypeValidator`
`119`	`119`	`s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");`
`120`	`120`	`s.add("com.p6spy.engine.spy.P6DataSource");`
`121`	`121`
	`122`	`+ // [databind#2498]: log4j-extras (1.2)`
	`123`	`+ s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");`
	`124`	`+ s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");`
	`125`	`+`
`122`	`126`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`123`	`127`	`}`
`124`	`128`