[Security vulnerability] Upgrade Jackson-core package to the latest version in aws-sdk-bundle

[Poojitha-R-Rao]

Upcoming End-of-Support

• [X] I acknowledge the upcoming end-of-support for AWS SDK for Java v1 was announced, and migration to AWS SDK for Java v2 is recommended.

Describe the bug

aws-sdk-bundle-1.12.755.jar and all the prior versions use jackson-core version 2.12.7, which is vulnerable as per below description.

PRISMA-2023-0067 - Description: com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption (\'Resource Exhaustion\').

Please help to upgrade jackson core to the latest version 2.17.1

Expected Behavior

N/A

Current Behavior

N/A

Reproduction Steps

N/A

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

aws-sdk-bundle-1.12.755

JDK version used

openjdk version "11.0.23"

Operating System and version

N/A

[debora-ito]

@Poojitha-R-Rao is there a CVE associated with this PRISMA report?

The vulnerability description is too generic to understand if the SDK is impacted.

[Poojitha-R-Rao]

@debora-ito - No, we do not have a direct CVE, but we have references from other places (please find links below). Our twistlock scans revealed this. Please upgrade jackson-core to the latest. https://github.com/DataDog/dd-trace-java/issues/5844 https://github.com/zendesk/maxwell/issues/2013 https://lists.apache.org/thread/foz49f5nqt6splrhpc21okqkfgpyz68r https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426