Jackson Databind deserialization in EAP 6.4

Solution Verified - Updated -

Issue

  • How to protect EAP 6.4 from jackson databind deserialization vulnerabilities?
  • Getting error with custom JSON Jackson mappings:

    org.codehaus.jackson.map.JsonMappingException: Illegal type (<fully qualified class name>) to deserialize: prevented for security reasons
    
  • jackson error after apply patch 6.4 CP21

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.4 CP20

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In