Vulnerabilities in Jackson Mapper ASL used by Jet master

[olukas]

Jet hazelcast-jet-files-azure uses Jackson Mapper ASL 1.9.13 which includes following vulnerabilities:

• CVE-2019-10172 - https://nvd.nist.gov/vuln/detail/CVE-2019-10172 (fixed in 1.9.13-2, https://security-tracker.debian.org/tracker/CVE-2019-10172)

It is the same issue as in #2913 however hazelcast-jet-files-azure was not part of 4.3.x hence it seems we forget to apply the changes also to this module.

[gurbuzali]

hazelcast-jet-files-azure depends on org.apache.hadoop:hadoop-azure:jar:3.3.0 which depends on org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13. we use latest version for hadoop-azure and the mentioned fixed version (1.9.13-2) is not available in maven-central. the library is moved to com.fasterxml.jackson.core:jackson-databind, that's why it is not in the maven-central most probably.