[CVE-2020-36518] Update jackson-databind to 2.13.2.1

[reta]

Describe the bug

jackson-databind up to 2.13.2 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-36518
[2] FasterXML/jackson-databind#2816

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
Update jackson-databind to 2.13.2.1

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[peternied]

Looks like the 2.13.2 change never made it to 1.3, this is causing issues since security picked up this change.

[saratvemulapalli]

@reta looks the team is working on 1.3.2 release and Security plugin, OpenSearch have different versions for jackson-databind.
Is it intentional to upgrade 1.3 to 2.12.6.1? Can we upgrade it to 2.13.2.2?

[reta]

@reta looks the team is working on 1.3.2 release and Security plugin, OpenSearch have different versions for jackson-databind. Is it intentional to upgrade 1.3 to 2.12.6.1? Can we upgrade it to 2.13.2.2?

@saratvemulapalli yes, the 2.12.6.1 had a CVE fix we needed to address. The 1.3 release line uses Jackson 2.12.6, we could update to 2.13.x but AFAIK the minor releases only include bugfixes (2.13.2.2 should have same CVE fix as 2.12.6.1).

jackson           = 2.12.6
jackson_databind  = 2.12.6.1

[peternied]

@zelinh I am going to confirm we can take the patch version into security as @reta suggests.

I've created this issue to resolve the root cause: opensearch-project/security#1816

[kartg]

#1817 has been merged. Closing this.