As per logstash 8.3.0 release notes ,
- Jackson and jackson-databind have been updated to 2.13.3 #13945
But we see the logstash rpm also brings a plugin logstash-input-beats - that still uses jackson-databind-2.9.10.8.
This is seen with latest logstash 8.3.3 release too.
$ rpm -q -l -p logstash-oss-8.3.3-x86_64.rpm | grep jackson | grep ".jar" | grep -v "2.13.3"
warning: logstash-oss-8.3.3-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jrjackson-0.4.16-java/lib/jrjackson/jars/jrjackson-1.2.33.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jrjackson-0.4.16-java/lib/jrjackson_jars.rb
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.4.0-java/vendor/jar-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.9.10/jackson-annotations-2.9.10.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.4.0-java/vendor/jar-dependencies/com/fasterxml/jackson/core/jackson-core/2.9.10/jackson-core-2.9.10.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.4.0-java/vendor/jar-dependencies/com/fasterxml/jackson/core/jackson-databind/2.9.10.8/jackson-databind-2.9.10.8.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.4.0-java/vendor/jar-dependencies/com/fasterxml/jackson/module/jackson-module-afterburner/2.9.10/jackson-module-afterburner-2.9.10.jar
The jackson-databind-2.9.10.8 has associated security vulnerabilties and is already reached End of Life.
Pls let us know when will this be fixed and the dependent plugins using >=2.13.3 will be consumed.
Thanks!