Bump jackson-core to 2.21.1 to address GHSA-72hv-8253-57qq

[ahkcs]

Summary

jackson-core versions 2.19.0 through 2.21.0 are affected by GHSA-72hv-8253-57qq. OpenSearch currently uses version 2.20.1. The patched version is 2.21.1.

Vulnerability

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) in StreamReadConstraints, allowing arbitrarily long numbers that can cause memory and CPU exhaustion (DoS).

• Severity: HIGH
• CWE: CWE-770
• Affected package: com.fasterxml.jackson.core:jackson-core 2.19.0 – 2.21.0
• Fix: 2.21.1

Requested Action

Bump versions.jackson from 2.20.1 to 2.21.1 in the build plugin version catalog so all OpenSearch plugins pick up the fix.

[andrross]

There's a regression in Jackson 2.21.1 that is preventing us from upgrading. It has been fixed in Jackson but no 2.21.2 release exists yet.

[dbwiddis]

@andrross looks like 2.21.2 came out a couple days ago. 🎉

[andrross]

@dbwiddis Andriy beat me to it! #20989

[andrross]

Fixed by #20989