JinwooHwang opened a new pull request, #8002: URL: https://github.com/apache/geode/pull/8002
## Summary Upgrade Jackson libraries from **2.18.6** to **2.21.2** to address a high-severity security vulnerability in `jackson-core`. - `jackson-core`, `jackson-databind`, `jackson-dataformat-yaml`, `jackson-datatype-joda`, `jackson-datatype-jsr310`: **2.18.6 → 2.21.2** - `jackson-annotations`: **2.18.6 → 2.21** (aligned with upstream release versioning) ## Security Vulnerability | Field | Details | |-------|---------| | **Snyk ID** | [SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551) | | **Type** | Allocation of Resources Without Limits or Throttling ([CWE-770](https://cwe.mitre.org/data/definitions/770.html)) | | **Severity** | **8.7 HIGH** (CVSS v4.0) | | **Affected Package** | `com.fasterxml.jackson.core:jackson-core` | | **Affected Versions** | [2.8.0, 2.21.2) | | **Fixed Version** | 2.21.2 | | **Disclosed** | 4 Apr 2026 | | **Published** | 5 Apr 2026 | ### Description Affected versions of `jackson-core` are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits. ### References - [GitHub Issue #1570](https://github.com/FasterXML/jackson-core/issues/1570) - [Maintainer's Advisory (GHSA-2m67-wjpj-xhg9)](https://github.com/FasterXML/jackson-core/security/advisories/GHSA-2m67-wjpj-xhg9) - [Fix Commit 74c9ee2](https://github.com/FasterXML/jackson-core/commit/74c9ee255d1534c179bc7d3de48941bf39a9079c) - [Fix Commit 7ce3622](https://github.com/FasterXML/jackson-core/commit/7ce3622f40e66bd821b5184d6055d8493afac5f3) ## Changes | File | Description | |------|-------------| | `DependencyConstraints.groovy` | Updated `jackson.version` and `jackson.databind.version` to `2.21.2`; added separate `jackson.annotations.version` set to `2.21` | | `assembly_content.txt` | Updated Jackson jar filenames to new versions | | `gfsh_dependency_classpath.txt` | Updated Jackson jar filenames to new versions | | `dependency_classpath.txt` | Updated Jackson jar filenames to new versions | | `expected-pom.xml` | Updated Jackson dependency versions in BOM | ## Testing - [x] `build` — compiles successfully - [x] `test` — unit tests pass <!-- Thank you for submitting a contribution to Apache Geode. --> <!-- In order to streamline review of your contribution we ask that you ensure you've taken the following steps. --> ### For all changes, please confirm: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Has your PR been rebased against the latest commit within the target branch (typically `develop`)? - [x] Is your initial contribution a single, squashed commit? - [x] Does `gradlew build` run cleanly? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
