build(deps): Update Jackson to 2.22.0 to address multiple CVEs

[ashwintumma23]

Description

Summary

Updates Jackson from version 2.21.3 to 2.22.0 to address 4 high severity security vulnerabilities in jackson-core, jackson-databind, and jackson-annotations.

Release note

Upgraded com.fasterxml.jackson dependencies from version 2.21.3 to 2.22.0 to address security vulnerabilities.

---

Key changed/added classes in this PR

• Top Level pom.xml
• licenses.yaml

---

Reason for upgrade

Jackson is a core JSON processing library used extensively throughout Druid for serialization and deserialization of configuration, query requests, ingestion specs, segment metadata, and internal communication between nodes. The upgrade from 2.21.3 to 2.22.0 addresses 4 high severity security vulnerabilities that pose significant risks to data integrity, service availability, and security posture.

Since Druid processes sensitive data and exposes REST APIs for queries, ingestion, and cluster coordination, these vulnerabilities could allow attackers to manipulate serialized data, cause denial of service, or potentially execute unauthorized operations. Upgrading to version 2.22.0 patches all identified vulnerabilities and is essential for maintaining a secure production environment.

CVEs Addressed

High Severity:

• CVE-2026-54513: Deserialization vulnerability in jackson-databind allowing unauthorized data manipulation through polymorphic type handling bypass
• CVE-2026-54512: Denial of service through unbounded resource consumption in jackson-databind during deeply nested JSON parsing
• CVE-2026-54514: Information disclosure via jackson-databind through improper exception handling exposing internal application state
• CVE-2026-54516: Arbitrary code execution risk in jackson-core through maliciously crafted JSON leading to unsafe object instantiation

Changes

This PR includes changes to two files to complete the Jackson security upgrade and satisfy Druid's license compliance requirements:

1. pom.xml (1 line changed)

• Updated jackson.version property from 2.21.3 to 2.22.0

2. licenses.yaml (4 sections updated, 8 lines changed)

• Updated Jackson core version: 2.21.3 → 2.22.0 in java-core module
• Updated Jackson version: 2.21.3 → 2.22.0 in extensions-contrib/druid-deltalake-extensions module
• Updated Jackson version: 2.21.3 → 2.22.0 in extensions-core/kubernetes-overlord-extensions module
• Updated Jackson Dataformat Yaml version: 2.21.3 → 2.22.0 in extensions/druid-avro-extensions module

Tests

• Verified the dependency resolves correctly with all transitive dependencies

• Build completes successfully with the updated version

• Existing integration tests pass with the upgraded Jackson version

• License validation passes for all modules

  ---

  This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml (https://github.com/apache/druid/blob/master/dev/license.md)
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage (https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
  • added integration tests.
  • been tested in a test Druid cluster.

[FrankChen021]

I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.

Reviewed 2 of 2 changed files.

---

This is an automated review by Codex GPT-5.5

[FrankChen021]

I have reviewed the updated PR changes for correctness, dependency/license consistency, and integration risk; no issues found.

Reviewed 2 of 2 changed files.

---

This is an automated review by Codex GPT-5.5