Update Jackson version to 2.8.11.2

[msymons]

Elasticsearch version (bin/elasticsearch --version):
7.0.0-alpha1
6.2.4
6.1.4

Plugins installed:
N/A

JVM version (java -version):
N/A

OS version (uname -a if on a Unix-like system):
N/A

Description of the problem including expected versus actual behavior:

Update jackson version from 2.8.10 to 2.8.11 to address CVE-2018-7489, a deserialization flaw with CVSS v3.0 Base Score of 9.8 (critical)

Update to 2.8.10 was done via PR #27230 - merged prior to publication of CVE-2018-7489. Whilst the CVE fix is also available in Jackson v2.9.5, the PR explains that Jackson v2.8.11 is currently the only option...

While it's not possible to upgrade the Jackson dependencies to their latest versions yet (see #27032 (comment) for more) it's still possible to upgrade to the latest 2.8.x version.

[jasontedor]

We are not exposed to this vulnerability.

[elasticmachine]

Pinging @elastic/es-core-infra

[msymons]

Updated title to update Jackson version to 2.8.11.2 in order to cover 3 additional CVE:

• CVE-2018-11307
• CVE-2018-12022
• CVE-2018-12023

See: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8

I fully understand that elasticsearch may not be exposed to these vulnerabilities. However, it does make life easier when examining dependencies using 3rd party scanners

[jasontedor]

We are not exposed to these vulnerabilities.

I fully understand that elasticsearch may not be exposed to these vulnerabilities. However, it does make life easier when examining dependencies using 3rd party scanners

I understand.