CVE-2017-4995: Deserialization of Untrusted Data

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security’s Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not excluding it already) deserialization gadget that allows code execution present on the classpath. Jackson provides a exclusion approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown deserialization gadgets when Spring Security enables default typing.