Block one more gadget type (cxf-jax-rs, no CVE allocated yet)

[cowtowncoder]

Similar to other Unbounded Polymorphic Type (default typing, usually) vulnerabilities, one was reported against CXF JAX-RS implementation. Details to be added once specific class added to deny-list.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Fixed in:

• 2.9.10
• 2.8.11.5
• 2.6.7.3
• does not affect 2.10.0 and later

[cowtowncoder]

Block added, will be included in:

• 2.9.10
• 2.10.0.pr2 (and final 2.10.0)

also backported in 2.8 branch but not sure if any more releases for 2.8 will be made.

[jdelta-RBS]

@cowtowncoder Assuming this affects 2.7.9.6, 2.8.11.4, and 2.9.9.3, correct?

[cowtowncoder]

@jdelta-RBS Correct.

[yangqi1210]

@cowtowncoder Does this affect 2.9.9.2 ?

[jdelta-RBS]

@cowtowncoder Does this affect 2.9.9.2 ?

If 2.9.9.3 is affected, 2.9.9.2 is going to be as well.