Upgrade JDBC driver to Jackson 2.15.0 due to 2.14.x being vulnerable to Denial of Service

[dqmdev]

Current driver build uses Jackson 2.14.2.

Please review and rebuild with Jackson 2.15.0. and update public page at
https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-download-driver.html

com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption ('Resource Exhaustion')

Fixed in Jackson 2.15 released April 23, 2023

FasterXML/jackson-core#315

FasterXML/jackson-core#322

FasterXML/jackson-core#827

[bhvkshah]

Thanks for opening this issue, @dqmdev. As the release for JDBC Driver version 2.1.0.16 is already under way, we plan to include this Jackson upgrade in our 2.1.0.17 release.

[dqmdev]

What is the projected timeline for 2.1.0.17? July? Aug?

[bhvkshah]

We're targeting end-of-June/ early July.

[dqmdev]

@bhvkshah can you deliver the fix before July 14th

[bhvkshah]

@dqmdev yes, release is underway for July first week.

[bhvkshah]

@dqmdev version 2.1.0.17 has been released, which contains the fix to update jackson dependencies. Thank you for bringing this issue to our attention as always!

[bhvkshah]

Download links:
https://redshift-downloads.s3.amazonaws.com/drivers/jdbc/2.1.0.17/redshift-jdbc42-2.1.0.17.jar
https://redshift-downloads.s3.amazonaws.com/drivers/jdbc/2.1.0.17/redshift-jdbc42-2.1.0.17.zip