Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485)

[cowtowncoder]

More potential deserialization gadgets reported for:

• DBCP types (similar to c3p0 ones already included)
• Spring framework AOP helpers
• Spring framework application context

For some of these need to check parent hierarchy.

Fixed in:

• 2.9.4
• 2.8.11
• 2.7.9.2
• 2.6.7.3
• Not applicable to 2.10.0 or later

[cowtowncoder]

I think this covers to-be-released CVE-2017-17485.

[adioss]

Hello,
Could you provide a list of affected version? In the CVE declaration https://nvd.nist.gov/vuln/detail/CVE-2017-17485, the "Vulnerable software and versions" part is omitted so it's not clear (I don't know if it's normal?). All versions before 2.8.10 and/or before 2.9.1?
Thanks a lot!