>From the following US CERT report: >https://www.us-cert.gov/ncas/bulletins/SB18-043 (search for jackson-databind) >it looks like jackson versions before 2.6.7.1, 2.7.9.1 and 2.8.9 has a >deserialization flaw which could potentially enable remote code execution. >Druid is on jackson version 2.6.7, and falls under this umbrella. >Deserialization in druid mainly uses `@JsonTypeInfo` to explicitly define the >type information and so we might be ok but it is better to consider upgrading >the jackson version to be on the safer side.
[ Full content available at: https://github.com/apache/incubator-druid/issues/6347 ] This message was relayed via gitbox.apache.org for [email protected]
