Public
  1. Public

arrow

Public

Commits

david dali susanibar arceDavid Li
b64fd28afb3
david dali susanibar arce authored and David Li committed a63ee07f345
ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

[CVE-2020-36518](https://github.com/advisories/GHSA-57j2-w4cx-62h2): Deeply nested json in jackson-databind.

Solved based on [Jackson release 2.13](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13):
````
jackson-databind 2.13.2.2 (28-Mar-2022) -- with jackson-bom version 2.13.2.20220328
````

Before the change: ` mvn compile dependency:tree -Drat.skip=true | grep databind` :
````
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:test
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
````

After the change:
````
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:test
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
````

Closes #12880 from davisusanibar/java-cve-ARROW-16143

Authored-by: david dali susanibar arce <davi.sarces@gmail.com>
Signed-off-by: David Li <li.davidm96@gmail.com>