ashwintumma23 opened a new pull request, #19618: URL: https://github.com/apache/druid/pull/19618
## Summary Updates Jackson from version 2.21.3 to 2.22.0 to address 4 high severity security vulnerabilities in jackson-core, jackson-databind, and jackson-annotations. ## Release note Upgraded com.fasterxml.jackson dependencies from version 2.21.3 to 2.22.0 to address security vulnerabilities. --- ### Key changed/added classes in this PR * Top Level pom.xml * licenses.yaml --- ## Reason for upgrade Jackson is a core JSON processing library used extensively throughout Druid for serialization and deserialization of configuration, query requests, ingestion specs, segment metadata, and internal communication between nodes. The upgrade from 2.21.3 to 2.22.0 addresses 4 high severity security vulnerabilities that pose significant risks to data integrity, service availability, and security posture. Since Druid processes sensitive data and exposes REST APIs for queries, ingestion, and cluster coordination, these vulnerabilities could allow attackers to manipulate serialized data, cause denial of service, or potentially execute unauthorized operations. Upgrading to version 2.22.0 patches all identified vulnerabilities and is essential for maintaining a secure production environment. ## CVEs Addressed **High Severity:** * CVE-2026-54513: Deserialization vulnerability in jackson-databind allowing unauthorized data manipulation through polymorphic type handling bypass * CVE-2026-54512: Denial of service through unbounded resource consumption in jackson-databind during deeply nested JSON parsing * CVE-2026-54514: Information disclosure via jackson-databind through improper exception handling exposing internal application state * CVE-2026-54516: Arbitrary code execution risk in jackson-core through maliciously crafted JSON leading to unsafe object instantiation ## Changes This PR includes changes to two files to complete the Jackson security upgrade and satisfy Druid's license compliance requirements: **1. pom.xml (1 line changed)** * Updated `jackson.version` property from `2.21.3` to `2.22.0` **2. licenses.yaml (4 sections updated, 8 lines changed)** * Updated Jackson core version: `2.21.3` → `2.22.0` in `java-core` module * Updated Jackson version: `2.21.3` → `2.22.0` in `extensions-contrib/druid-deltalake-extensions` module * Updated Jackson version: `2.21.3` → `2.22.0` in `extensions-core/kubernetes-overlord-extensions` module * Updated Jackson Dataformat Yaml version: `2.21.3` → `2.22.0` in `extensions/druid-avro-extensions` module ## Tests * Verified the dependency resolves correctly with all transitive dependencies * Build completes successfully with the updated version * Existing integration tests pass with the upgraded Jackson version * License validation passes for all modules -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
