Vulnerabilities in Jackson Mapper ASL used by Jet 4.3

[olukas]

Jet uses Jackson Mapper ASL 1.9.13 which includes following vulnerabilities:

• CVE-2019-10172 - https://nvd.nist.gov/vuln/detail/CVE-2019-10172 (fixed in 1.9.13-2, https://security-tracker.debian.org/tracker/CVE-2019-10172)

[gurbuzali]

two of our extensions depend on this library:

• avro
• hadoop

For avro extension, we depend on org.apache.avro:avro:1.8.2 which depends on this library.
We can fix the issues by moving to avro 1.10.1 which depends on Jackson Databind library 2.11.3 (which Jackson Mapper library moved to)

For hadoop extension, we currently use Hadoop 2.10.0 which depends on this library. We could exclude the library from Hadoop and then add it as a separate library but the mentioned fixed version is not available in the main maven repo. The next patch version of Hadoop does not fix the issue, we may need to move to Hadoop 3.x for a fix

[gurbuzali]

On second thought (thanks @frant-hartm for the tip), we don't distribute Hadoop in our hadoop extension, so it should not be an issue.

[gurbuzali]

closed via #2937