diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index a3624f8036..3a24d72614 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -8,7 +8,9 @@ Project: jackson-databind
 
 #2986: Block two more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491)
  (reported by Al1ex@knownsec)
-#2996: Block 2 more gadget types (placeholder)
+#2996: Block 2 more gadget types (newrelic-agent)
+ (reported by Al1ex@knownsec)
+#2997: Block 2 more gadget types (tomcat/naming-factory-dbcp)
  (reported by Al1ex@knownsec)
 
 2.9.10.7 (02-Dec-2020)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 0b4c2778fc..578a1be5dc 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -216,6 +216,11 @@ public class SubTypeValidator
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
 
+        // [databind#2997]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
+        // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
+        s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }