GEODE-10576: Remediation of security vulnerability (GHSA-2m67-wjpj-xhg9)

boms/geode-all-bom/src/test/resources/expected-pom.xml

@@ -470,27 +470,27 @@
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-annotations</artifactId>
-        <version>2.18.6</version>
+        <version>2.21</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-core</artifactId>
-        <version>2.18.6</version>
+        <version>2.21.2</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-databind</artifactId>
-        <version>2.18.6</version>
+        <version>2.21.2</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.datatype</groupId>
         <artifactId>jackson-datatype-joda</artifactId>
-        <version>2.18.6</version>
+        <version>2.21.2</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.datatype</groupId>
         <artifactId>jackson-datatype-jsr310</artifactId>
-        <version>2.18.6</version>
+        <version>2.21.2</version>
       </dependency>
       <dependency>
         <groupId>com.jayway.jsonpath</groupId>

build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy

@@ -44,8 +44,9 @@ class DependencyConstraints {
     deps.put("shiro.version", "1.13.0")
     deps.put("slf4j-api.version", "1.7.36")
     deps.put("jboss-modules.version", "1.11.0.Final")
-    deps.put("jackson.version", "2.18.6")
-    deps.put("jackson.databind.version", "2.18.6")
+    deps.put("jackson.version", "2.21.2")
+    deps.put("jackson.annotations.version", "2.21")
+    deps.put("jackson.databind.version", "2.21.2")
     deps.put("springshell.version", "1.2.0.RELEASE")
     deps.put("springframework.version", "5.3.20")
 
@@ -179,8 +180,11 @@ class DependencyConstraints {
       entry('mockito-junit-jupiter')
     }
 
-    dependencySet(group: 'com.fasterxml.jackson.core', version: get('jackson.version')) {
+    dependencySet(group: 'com.fasterxml.jackson.core', version: get('jackson.annotations.version')) {
       entry('jackson-annotations')
+    }
+
+    dependencySet(group: 'com.fasterxml.jackson.core', version: get('jackson.version')) {
       entry('jackson-core')
     }
 

geode-assembly/src/distributedTest/java/org/apache/geode/management/JQFilterVerificationDUnitTest.java

@@ -97,10 +97,10 @@ public static void beforeClass() throws IOException {
     client = new GeodeDevRestClient("/management", "localhost", locator.getHttpPort(), false);
     JsonNode jsonObject =
         client.doGetAndAssert("/v3/api-docs").getJsonObject().get("paths");
-    Iterator<Map.Entry<String, JsonNode>> urls = jsonObject.fields();
+    Iterator<Map.Entry<String, JsonNode>> urls = jsonObject.properties().iterator();
     while (urls.hasNext()) {
       Map.Entry<String, JsonNode> url = urls.next();
-      Iterator<Map.Entry<String, JsonNode>> methods = url.getValue().fields();
+      Iterator<Map.Entry<String, JsonNode>> methods = url.getValue().properties().iterator();
       while (methods.hasNext()) {
         Map.Entry<String, JsonNode> method = methods.next();
         // gather all the rest endpoint that has jqFilter defined.

geode-assembly/src/integrationTest/resources/assembly_content.txt

@@ -1004,11 +1004,11 @@ lib/gfsh-dependencies.jar
 lib/httpclient-4.5.13.jar
 lib/httpcore-4.4.15.jar
 lib/istack-commons-runtime-4.0.1.jar
-lib/jackson-annotations-2.18.6.jar
-lib/jackson-core-2.18.6.jar
-lib/jackson-databind-2.18.6.jar
-lib/jackson-datatype-joda-2.18.6.jar
-lib/jackson-datatype-jsr310-2.18.6.jar
+lib/jackson-annotations-2.21.jar
+lib/jackson-core-2.21.2.jar
+lib/jackson-databind-2.21.2.jar
+lib/jackson-datatype-joda-2.21.2.jar
+lib/jackson-datatype-jsr310-2.21.2.jar
 lib/javax.activation-api-1.2.0.jar
 lib/javax.mail-api-1.6.2.jar
 lib/javax.resource-api-1.7.1.jar

geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt

@@ -21,11 +21,11 @@ spring-shell-1.2.0.RELEASE.jar
 spring-web-5.3.20.jar
 commons-lang3-3.12.0.jar
 rmiio-2.1.2.jar
-jackson-datatype-joda-2.18.6.jar
-jackson-annotations-2.18.6.jar
-jackson-core-2.18.6.jar
-jackson-datatype-jsr310-2.18.6.jar
-jackson-databind-2.18.6.jar
+jackson-datatype-joda-2.21.2.jar
+jackson-annotations-2.21.jar
+jackson-core-2.21.2.jar
+jackson-datatype-jsr310-2.21.2.jar
+jackson-databind-2.21.2.jar
 swagger-annotations-2.2.1.jar
 jopt-simple-5.0.4.jar
 log4j-slf4j-impl-2.17.2.jar

geode-common/src/main/java/org/apache/geode/util/internal/GeodeJsonMapper.java

@@ -41,13 +41,15 @@ public static ObjectMapper getMapper() {
         .enable(JsonParser.Feature.ALLOW_SINGLE_QUOTES)
         .enable(MapperFeature.USE_BASE_TYPE_AS_DEFAULT_IMPL)
         .build();
-    mapper.setSerializationInclusion(JsonInclude.Include.NON_EMPTY);
+    mapper.setDefaultPropertyInclusion(
+        JsonInclude.Value.construct(JsonInclude.Include.NON_EMPTY, JsonInclude.Include.NON_EMPTY));
     return mapper;
   }
 
   public static ObjectMapper getMapperWithAlwaysInclusion() {
     ObjectMapper mapper = getMapper();
-    mapper.setSerializationInclusion(JsonInclude.Include.ALWAYS);
+    mapper.setDefaultPropertyInclusion(
+        JsonInclude.Value.construct(JsonInclude.Include.ALWAYS, JsonInclude.Include.ALWAYS));
     return mapper;
   }
 

geode-server-all/src/integrationTest/resources/dependency_classpath.txt

@@ -9,7 +9,7 @@ spring-jcl-5.3.20.jar
 commons-codec-1.15.jar
 classgraph-4.8.147.jar
 commons-logging-1.3.5.jar
-jackson-databind-2.18.6.jar
+jackson-databind-2.21.2.jar
 geode-management-0.0.0.jar
 geode-core-0.0.0.jar
 javax.activation-api-1.2.0.jar
@@ -44,7 +44,7 @@ rmiio-2.1.2.jar
 geode-tcp-server-0.0.0.jar
 log4j-jcl-2.17.2.jar
 geode-connectors-0.0.0.jar
-jackson-core-2.18.6.jar
+jackson-core-2.21.2.jar
 jetty-util-9.4.57.v20241219.jar
 log4j-slf4j-impl-2.17.2.jar
 lucene-analyzers-common-6.6.6.jar
@@ -71,7 +71,7 @@ jaxb-impl-2.3.2.jar
 jna-platform-5.11.0.jar
 log4j-jul-2.17.2.jar
 HdrHistogram-2.1.12.jar
-jackson-annotations-2.18.6.jar
+jackson-annotations-2.21.jar
 micrometer-core-1.9.1.jar
 shiro-config-ogdl-1.13.0.jar
 geode-log4j-0.0.0.jar
@@ -87,7 +87,7 @@ antlr-2.7.7.jar
 jetty-xml-9.4.57.v20241219.jar
 geode-rebalancer-0.0.0.jar
 jetty-server-9.4.57.v20241219.jar
-jackson-datatype-jsr310-2.18.6.jar
-jackson-datatype-joda-2.18.6.jar
+jackson-datatype-jsr310-2.21.2.jar
+jackson-datatype-joda-2.21.2.jar
 joda-time-2.10.14.jar
 byte-buddy-1.14.9.jar

pull-requests/GEODE-10576.md

@@ -0,0 +1,63 @@
+# GEODE-10576: Remediation of security vulnerability (GHSA-2m67-wjpj-xhg9)
+
+**Base branch:** `support/1.15`
+
+## Summary
+
+Upgrade Jackson libraries from 2.17.0 to 2.21.2 to address a high-severity security vulnerability in `jackson-core`.
+
+- `jackson-core`, `jackson-databind`, `jackson-dataformat-yaml`, `jackson-datatype-joda`, `jackson-datatype-jsr310`: 2.17.0 → 2.21.2
+- `jackson-annotations`: 2.17.0 → 2.21 (aligned with upstream release versioning)
+
+## Security Vulnerability
+
+| Field | Value |
+|---|---|
+| Snyk ID | SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551 |
+| Type | Allocation of Resources Without Limits or Throttling (CWE-770) |
+| Severity | 8.7 HIGH (CVSS v4.0) |
+| Affected Package | com.fasterxml.jackson.core:jackson-core |
+| Affected Versions | [2.8.0, 2.21.2) |
+| Fixed Version | 2.21.2 |
+| Disclosed | 4 Apr 2026 |
+| Published | 5 Apr 2026 |
+
+### Description
+
+Affected versions of `jackson-core` are vulnerable to Allocation of Resources Without Limits or Throttling in the
+enforcement of document length constraints in blocking, async, and DataInput
+parser processes. An attacker can cause excessive resource consumption by submitting
+oversized JSON documents that bypass configured size limits.
+
+### References
+
+- [GitHub Issue #1570](https://github.com/FasterXML/jackson-core/issues/1570)
+- [Maintainer's Advisory (GHSA-2m67-wjpj-xhg9)](https://github.com/FasterXML/jackson-core/security/advisories/GHSA-2m67-wjpj-xhg9)
+- [Fix Commit 74c9ee2](https://github.com/FasterXML/jackson-core/commit/74c9ee255d1534c179bc7d3de48941bf39a9079c)
+- [Fix Commit 7ce3622](https://github.com/FasterXML/jackson-core/commit/7ce3622f40e66bd821b5184d6055d8493afac5f3)
+
+## Changes
+
+| File | Description |
+|---|---|
+| DependencyConstraints.groovy | Updated jackson.version and jackson.databind.version to 2.21.2; added separate jackson.annotations.version set to 2.21 |
+| GeodeJsonMapper.java | Replaced deprecated `ObjectMapper.setSerializationInclusion()` with `setDefaultPropertyInclusion()` |
+| JQFilterVerificationDUnitTest.java | Replaced deprecated `JsonNode.fields()` with `properties().iterator()` |
+| assembly_content.txt | Updated Jackson jar filenames to new versions |
+| gfsh_dependency_classpath.txt | Updated Jackson jar filenames to new versions |
+| dependency_classpath.txt | Updated Jackson jar filenames to new versions |
+| expected-pom.xml | Updated Jackson dependency versions in BOM |
+
+## Testing
+
+- `build` — compiles successfully
+- `test` — unit tests pass (7477 tests completed, 1 pre-existing failure unrelated to Jackson)
+
+### For all changes, please confirm:
+
+- [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
+- [x] Has your PR been rebased against the latest commit within the target branch (typically `support/1.15`)?
+- [x] Is your initial contribution a single, squashed commit?
+- [x] Does `gradlew build` run cleanly?
+- [x] Have you written or updated unit tests to verify your changes?
+- [x] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?