Description
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Mitigation
*Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability.
Reference: [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2](https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2)
In order to mitigate this vulnerability, we recommend upgrading to at least version 2.10.0 and changing any usages of `enableDefaultTyping()` to `activateDefaultTyping()`.
Alternatively, if upgrading is not a viable option, this vulnerability can be mitigated by disabling default typing. Instead, you will need to implement your own:
>It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) — you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.
Reference: [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization)
Examples of implementing your own typing can be found by looking at [Spring Security's fix](https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439) or [this Stack Overflow article](https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism).