Skip to content

GEODE-10576: Remediation of security vulnerability (GHSA-2m67-wjpj-xhg9)#8003

Open
JinwooHwang wants to merge 1 commit intoapache:support/1.15from
JinwooHwang:feature/GEODE-10576
Open

GEODE-10576: Remediation of security vulnerability (GHSA-2m67-wjpj-xhg9)#8003
JinwooHwang wants to merge 1 commit intoapache:support/1.15from
JinwooHwang:feature/GEODE-10576

Conversation

@JinwooHwang
Copy link
Copy Markdown
Contributor

@JinwooHwang JinwooHwang commented Apr 9, 2026

Base branch: support/1.15

Summary

Upgrade Jackson libraries to 2.21.2 to address a high-severity security vulnerability in jackson-core.

  • jackson-core, jackson-databind, jackson-dataformat-yaml, jackson-datatype-joda, jackson-datatype-jsr310: 2.21.2
  • jackson-annotations: 2.21 (aligned with upstream release versioning)

Security Vulnerability

Field Value
Snyk ID SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551
Type Allocation of Resources Without Limits or Throttling (CWE-770)
Severity 8.7 HIGH (CVSS v4.0)
Affected Package com.fasterxml.jackson.core:jackson-core
Affected Versions [2.8.0, 2.21.2)
Fixed Version 2.21.2
Disclosed 4 Apr 2026
Published 5 Apr 2026

Description

Affected versions of jackson-core are vulnerable to Allocation of Resources Without Limits or Throttling in the
enforcement of document length constraints in blocking, async, and DataInput
parser processes. An attacker can cause excessive resource consumption by submitting
oversized JSON documents that bypass configured size limits.

References

Changes

File Description
DependencyConstraints.groovy Updated jackson.version and jackson.databind.version to 2.21.2; added separate jackson.annotations.version set to 2.21
GeodeJsonMapper.java Replaced deprecated ObjectMapper.setSerializationInclusion() with setDefaultPropertyInclusion()
JQFilterVerificationDUnitTest.java Replaced deprecated JsonNode.fields() with properties().iterator()
assembly_content.txt Updated Jackson jar filenames to new versions
gfsh_dependency_classpath.txt Updated Jackson jar filenames to new versions
dependency_classpath.txt Updated Jackson jar filenames to new versions
expected-pom.xml Updated Jackson dependency versions in BOM

Testing

  • build — compiles successfully
  • test — unit tests pass

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang
GEODE-10576: Upgrade Jackson to 2.21.2 (annotations 2.21)
0e8c28e 
- Upgrade jackson-core, jackson-databind, jackson-dataformat-yaml,
  jackson-datatype-joda, jackson-datatype-jsr310 from 2.17.0 to 2.21.2
- Upgrade jackson-annotations from 2.17.0 to 2.21
- Replace deprecated ObjectMapper.setSerializationInclusion() with
  setDefaultPropertyInclusion() in GeodeJsonMapper
- Replace deprecated JsonNode.fields() with properties().iterator()
  in JQFilterVerificationDUnitTest
- Addresses SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551
@JinwooHwang JinwooHwang requested a review from kaajaln2 April 9, 2026 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaajaln2 kaajaln2 Awaiting requested review from kaajaln2

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JinwooHwang