Security Scans report version of Jackson Databind in Module ingest-geoip as being vulnerable

[centic9]

Elasticsearch version (bin/elasticsearch --version): 6.8 (but likely also 6.2, ... 7.x, 8.x, master, ...)

Plugins installed: [default]

JVM version (java -version): N/A

OS version (uname -a if on a Unix-like system): N/A

Description of the problem including expected versus actual behavior:

Security scans of our deployment bring up old versions of jackson-databind being used in module ingest-geoip.

Related vulnerabilities:

• CVE-2018-14721 (high)
• CVE-2018-19361 (high)
• CVE-2018-14719 (high)
• CVE-2018-14720 (high)
• CVE-2018-19362 (high)
• CVE-2018-19360 (high)

Version of jackson-databind which is reported as vulnerable: version 2.8.11.3

This version is still used by the latest version of the ingest-geoip module, see https://github.com/elastic/elasticsearch/blob/master/modules/ingest-geoip/build.gradle#L30

The version to have fixes is 2.9.8: https://github.com/FasterXML/jackson-databind/blob/affb3e85efd047377f8035ed67817822e79fe3be/release-notes/VERSION-2.x#L116, latest is 2.9.9.2.

I did not check if the module is actually vulnerable, but please update to a version that does not have known vulnerabilities nevertheless to silence such security scan reports.

[elasticmachine]

Pinging @elastic/es-core-features

[elasticmachine]

Pinging @elastic/es-core-infra