From the following US CERT report: https://www.us-cert.gov/ncas/bulletins/SB18-043 (search for jackson-databind) it looks like jackson versions before 2.6.7.1, 2.7.9.1 and 2.8.9 has a deserialization flaw which could potentially enable remote code execution. Druid is on jackson version 2.6.7, and falls under this umbrella. Deserialization in druid mainly uses @JsonTypeInfo to explicitly define the type information and so we maybe ok but it is better to consider upgrading the jackson version(to 2.6.7.1) to be on the safer side.
From the following US CERT report: https://www.us-cert.gov/ncas/bulletins/SB18-043 (search for jackson-databind) it looks like jackson versions before 2.6.7.1, 2.7.9.1 and 2.8.9 has a deserialization flaw which could potentially enable remote code execution. Druid is on jackson version 2.6.7, and falls under this umbrella. Deserialization in druid mainly uses
@JsonTypeInfoto explicitly define the type information and so we maybe ok but it is better to consider upgrading the jackson version(to 2.6.7.1) to be on the safer side.