Resolving jackson-mapper-asl vulnerability

[KarthikaPKumar]

Description

Identified security vulnerability issues of severity high from jackson-mapper-asl and resolved the same. Excluded the transitive dependency of jackson-mapper-asl occuring from parent packages that does not break the build or impact the functionality but removes the said exploitable.

Motivation and Context

Vulnerabilities Direct vulnerabilities: CVE-2019-10202 CVE-2019-10172

Impact

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Test Plan

Contributor checklist

• [ ] Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• [ ] PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• [ ] Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• [ ] If release notes are required, they follow the release notes guidelines.
• [ ] Adequate tests were added if applicable.
• [ ] CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== NO RELEASE NOTE ==

[prestodb-ci]

Saved that user @KarthikaPKumar is from IBM