Block one more gadget type (weblogic/oracle-aqjms)

Merged from FasterXML/jackson-databind#2698
atlassian · May 8, 2020 · 80ecfc4 · 80ecfc4
1 parent 943c5cd
commit 80ecfc4
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -63,6 +63,7 @@ One more patch release for 1.9.
 * [databind#2680]: Block one more gadget type (SSRF, spring-jpa, CVE-2020-11619)
 * [databind#2682]: Block one more gadget type (commons-jelly, CVE-2020-11620)
 * [databind#2688]: Block one more gadget type (apache-drill)
+* [databind#2698]: Block one more gadget type (weblogic/oracle-aqjms)
 
 1.9.13 (14-Jul-2013)
 

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -164,6 +164,15 @@ public class SubTypeValidator
         // [databind#2688]: apache/drill
         s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
 
+        // [databind#2698]: weblogic w/ oracle/aq-jms
+        // (note: dependency not available via Maven Central, but as part of
+        // weblogic installation, possibly fairly old version(s))
+        s.add("oracle.jms.AQjmsQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXATopicConnectionFactory");
+        s.add("oracle.jms.AQjmsTopicConnectionFactory");
+        s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXAConnectionFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }