Upgrade to Jackson 2.9.2

[tlrx]

This PR updates Jackson to version 2.9.2.

[tlrx]

FastStringReader uses a length equal to -1 to indicate that the reader has been closed. But once closed, the CharSequence's length() method reports an invalid value making use of subSequence(int,int) method fail. I fixed that by adding a closed flag instead of relying on length value.

[tlrx]

It has been caught by tests, because Jackson 2.9.2 is more descriptive than 2.8.6 when reporting JSON location in exception messages and uses CharSequence's length() method here

[nik9000]

Makes sense to me.

[tlrx]

@nik9000 Thanks for review, but the PR was in WIP. I changed few things, would you like to have another look?

[jasontedor]

LGTM. Will this also be ported to 6.x?

[nik9000]

Makes sense to me.

[tlrx]

Will this also be ported to 6.x?

Yes

[tlrx]

Thanks @nik9000 and @jasontedor.

[tlrx]

This pull request passed on CI here but now it is merged it is causing different types of issues on CI, so I reverted it (463e7e6 and 72b9859) until I find the cause of the errors.

[tlrx]

After some investigation, this upgrade caused various failures because of two changes in Jackson 2.9.2:

Smile

In Jackson 2.9.2 the SMILE format is now part of the jackson-dataformats-binary project. The code has been factorized multiple times but the consequence is that the SmileParser now extends SmileParserBase (instead of ParserBase in 2.8) and correctly parses back float values.

Some elasticsearch tests like GetResultTests or GetResponseTests rely on a special treatment for float values (see RandomObjects) and they fail. This is good since the float values are now correctly parsed back but these tests have to be adapted for Jackson 2.9.

Yaml

Jackson 2.9.2 now depends on snakeyaml 1.18 (instead of 1.15) and I suspect a performance degradation in the YAML parser when reading large text values.

The entry point is in the org.yaml.snakeyaml.scanner.ScannerImpl#scanFlowScalarNonSpaces(boolean, Mark) method:

while (Constant.NULL_BL_T_LINEBR.hasNo(reader.peek(length), "\'\"\\")) {
  length++;
}

This method uses the peek() method of a org.yaml.snakeyaml.reader.StreamReader instance and this method has been changed in 1.18 to return a int instead of a char, but the new implementation is less efficient for large values.

The consequence is that parsing some values take a lot of time, it slows down all REST integration tests and some tests just time out during execution (like ingest-attachement).

I'm currently testing Jackson 2.8.10 in #27230

[msymons]

Will there be a backport for v5.6.x?

This would address deserialization vulnerability CVE-2017-7525 affecting transitive dependency jackson-databind v2.8.6

[tlrx]

@msymons This pull request has been reverted. What you're looking for is #27361 which has been backported to the current 5.6.x maintenance branch but not released.

[msymons]

@tlrx. My apologies… somehow, I had ended up making my comment above in the wrong browser tab! I had seen the reversion that you refer to and had meant to add my comment to #27230 (which does not (yet) reference v5.6.5 ). Is not #27361 related just to AWS SDK?

[jasontedor]

Is not #27361 related just to AWS SDK?

@msymons The databind artifact is only used as transitive dependencies in discovery-ec2, repository-s3, and ingest-geoip. From #27361 we have upgraded that dependency to a patched version for the plugins that use the AWS SDK. For ingest-geoip, we have to wait until core has its core Jackson dependency upgraded (at this PR was doing). The usage of jackson-databind in that plugin is tightly scoped. Otherwise, there are no other uses for databind within Elasticsearch.

[tlrx]

I tested Jackson 2.9.6 and I reported this issue in jackson-dataformats-text. Binary values can be encoded in YAML but not decoded when it exceeds a given size.

[tlrx]

I tested Jackson 2.9.7 and still the same issue.

[nkomissar]

hi tlrx, I can see the issue you've found is fixed in 2.9.9/2.10.0, does it make possible upgrading Jackson?
In my company, we would like to use elasticsearch but it's blocked by Security due to vulnerabilities in 2.8.11.

Thanks!

[jasontedor]

I want to make explicit here that Elasticsearch is not exposed to the vulnerabilities in 2.8.11.

[nkomissar]

Can you please elaborate or provide some link where I can find more info to satisfy our Security? This will be greatly appreciated!

[jasontedor]

Elasticsearch does not use any of the functionality related to the exploits, we are not exposed to any of the issues related to polymorphic deserialization at all. Does that help?

[nkomissar]

Thank you. I will talk to the AppSec folks and will see :)

[msymons]

@jasontedor

Elasticsearch does not use any of the functionality related to the exploits, we are not exposed to any of the issues related to polymorphic deserialization at all. Does that help?

I totally understand that Elasticsearch has no exposure to any of the jackson-databind issues. However, projects using Elasticsearch and other dependencies that ARE vulnerable to the jackson-databind issues (meaning that the other dependencies must use jackson 2.9.9) does make for problems with dependency management.

Additionally, using out of date components does lead to operational-risk warnings from analysers such as Nexus-IQ

However, I would hope that updating to 2.9.9 would provide its own benefits in terms of functionality, etc. But I am not a developer and so cannot opine too much on that aspect.