Block one more gadget type (jodd-db, CVE-2018-12022)

[cowtowncoder]

There is a potential remote code execution (RCE) vulnerability, if user is

1. handling untrusted content (where attacker can craft JSON)
2. using "Default Typing" feature (or equivalent; polymorphic value with base type of java.lang.Object
3. has jodd-db (https://jodd.org/db/) jar in classpath
4. allows connections from service to untrusted hosts (where attacker can run an LDAP service)

(note: steps 1 and 2 are common steps as explained in https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)

To solve the issue, one type from Jodd database component is blacklisted to avoid their use as "serialization gadgets".

Original vulnerability discoverer:
吴桂雄 Wuguixiong

Fixed in:

• 2.9.6 and later
• 2.8.11.2
• 2.7.9.4
• 2.6.7.3

[Boaz20]

@cowtowncoder - what was your finding here is it really an issue and if yes - are you planning to fix it in the upcoming 2.9.6 release?

[cowtowncoder]

Fix committed earlier as:

https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1

and is included in versions:

• 2.7.9.4
• 2.8.11.2
• 2.9.6

once released.