[security] jackson-databind dependency needs to be upgraded

[himanshug]

jackson-databind security vulnerability published: https://bugzilla.redhat.com/show_bug.cgi?id=1462702

jackson-databind issue: FasterXML/jackson-databind#1599

version < 2.8.9 seems problematic.

[drcrallen]

@himanshug do you know what versions of hadoop such a thing would break?

We use a 2.6 version internally for spark compatibility, but haven't tried a 2.8.

[drcrallen]

Also, @himanshug would you mind please adding a Security label?

[himanshug]

@drcrallen I haven't really analyzed it at all. I came across the issue and security is major concern , so created this issue at least to track that something needs to be done.
I think, in the past, we had issues when trying to upgrade jackson.

[himanshug]

sure, creating the new label now.

[gianm]

At first glance it doesn't look like Druid is affected. The vulnerability described in the paper (https://www.github.com/mbechler/marshalsec) is that in some configurations Jackson will deserialize JSON into arbitrary classes based on a field in the JSON with the class name. Then that can be used to trigger code execution during construction of certain classes.

But, from the paper:

Jackson, in its default configuration, does perform strict runtime type checking, including collection generic types, and does not allow the specification of arbitrary types — therefore it is unaffected by these issues by default.

The paper goes on to discuss options you can set in Jackson that will enable this insecure behavior. It mentions a few:

• objectMapper.enableDefaultTyping()
• a custom TypeResolverBuilder
• @JsonTypeInfo on a field

As far as I can tell we are not using any of these. That list might not be exhaustive, but as far as I can tell we are also not using any other thing that would involve allowing the java class name to be read from the json serialized form. We make wide use of @JsonTypeInfo but it is always with use = JsonTypeInfo.Id.NAME, meaning custom strings that are not class names.

It's still good to upgrade, but I don't think it needs to be urgent since it seems likely that there is no actual vulnerability in Druid.

[drcrallen]

Related slightly due to jackson version change: #4808

[himanshug]

@gianm thanks for looking into it more and finding the scope of exploit, good to know that we are not impacted. however, let us keep it open to try out newer versions whenever possible.