Description
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Mitigation
*Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability.
Reference: [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2](https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2)
In order to mitigate this vulnerability, we recommend upgrading to at least version 2.10.0 and changing any usages of `enableDefaultTyping()` to `activateDefaultTyping()`.
Alternatively, if upgrading is not a viable option, this vulnerability can be mitigated by disabling default typing. Instead, you will need to implement your own:
>It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) — you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.
Reference: [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization)
Examples of implementing your own typing can be found by looking at [Spring Security's fix](https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439) or [this Stack Overflow article](https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism).
