Skip to content

Bump jacksonVersion 2.10.0 to 2.18.8 #1036

Merged
akshayrai merged 1 commit into
linkedin:masterfrom
akshayrai:jackson-cve-bump-2.18.8
Jun 25, 2026
Merged

Bump jacksonVersion 2.10.0 to 2.18.8 #1036
akshayrai merged 1 commit into
linkedin:masterfrom
akshayrai:jackson-cve-bump-2.18.8

Conversation

@akshayrai

Copy link
Copy Markdown
Collaborator

Summary

  • All three jackson-{annotations,core,databind} declarations in build.gradle already share this single $jacksonVersion property, so the bump propagates uniformly.
  • No source changes needed: the offending Jackson APIs used by datastream-common's JsonUtils, AvroEncodingException, etc. are API-compatible between 2.10 and 2.18.

Testing Done

PR checks

…eValidator CVEs

The fasterxml/jackson-databind project published patches for two
High-severity polymorphic-type-validation bypasses:
CVE-2026-54513 (GHSA-rmj7-2vxq-3g9f)
allowIfSubTypeIsArray array-subtype allowlist bypass.
CVE-2026-54512 (GHSA-j3rv-43j4-c7qm)
Generic-type-parameter bypass that allows arbitrary class instantiation.
Both CVEs cover every release before the per-line patched versions:
2.10.x..2.18.7  -> patched in 2.18.8
2.19.x..2.21.3  -> patched in 2.21.4
3.0.0..3.1.3    -> patched in 3.1.4
OSS Brooklin's gradle/dependency-versions.gradle has been pinned at
2.10.0 since the original log4j2 migration (f2bd8ed); under the CVE
ranges, every downstream consumer is vulnerable.
Bump the floor to 2.18.8 -- the smallest jump that lands in a patched
release line. Picked over 2.21.4 (the next-line patched release) to
minimize compatibility risk: 2.10 -> 2.18 stays within Jackson's
backward-compatible-by-default API contract; 2.10 -> 2.21 has been
known to surface deserialization-edge-case breakages in BigDecimal /
duration / nullability defaults.
All three jackson-{annotations,core,databind} declarations in build.gradle
already share this single $jacksonVersion property, so the bump
propagates uniformly.
No source changes needed: the offending Jackson APIs used by
datastream-common's JsonUtils, AvroEncodingException, etc. are
API-compatible between 2.10 and 2.18.
Tested locally: ./gradlew build BUILD SUCCESSFUL.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@dhananjay-sawner dhananjay-sawner left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@akshayrai akshayrai marked this pull request as ready for review June 25, 2026 14:34
@akshayrai akshayrai merged commit 4fba9bd into linkedin:master Jun 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants