Block one more gadget type (mybatis, CVE-2018-11307)

[cowtowncoder]

A new potential gadget type from MyBatis (https://github.com/mybatis/mybatis-3) has been reported. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2018-11307

Original vulnerability discoverer:
吴桂雄 Wuguixiong

Fixed in

• 2.9.5 and later
• 2.8.11.2
• 2.7.9.4
• 2.6.7.3

[Boaz20]

@cowtowncoder - When do you think 2.9.6 will be released?

[cowtowncoder]

@Boaz20 have been hoping to get "any day now" -- with good luck, by end of the week. But unfortunately I have been extremely busy (new job, house remodeling :) ).

[Boaz20]

@cowtowncoder - thanks for the follow-up - much appreciated.

[cowtowncoder]

Fix included in

• 2.7.9.4
• 2.8.11.2

which were just released and will be included in

• 2.9.6

as soon as we get it finalized -- being full release it is a bigger process than micro-patches.