Fix CVE 2017-15095 and CVE-2018-7489

[hosamaly]

At the time of writing, the AWS SDK depends on jackson-databind v2.6.7.1. This version suffers from CVE 2017-15095 and CVE-2018-7489, both of which are critical vulnerabilities.

A fix for CVE 2017-15095 was backported to 2.6.7.x in FasterXML/jackson-databind#1945. However, it was never released. I'm also unaware of a backport of FasterXML/jackson-databind#1931.

[cowtowncoder]

For what it is worth, the next (micro-)patch version with fixes to above-mentioned CVEs is 2.7.9.3.
And further up minor versions, 2.8.11.1 has both as well.

Potential risk of CVEs in question is discussed on:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

and I don't know if SDK uses either Default Typing or polymorphic types (via @JsonTypeInfo on property) with declared base type of java.lang.Object.

But I think many/most/all CVE tools are unable to assess actual risk wrt features used and simply assume there is a vulnerability just because someone may use specific feature(s) in question, so even if there were no problems, security tools are likely to flag dependency as risky.

[shorea]

We will be updating the README shortly about these CVEs. In short the SDK is not affected because we don't use polymorphic deserialization as @cowtowncoder explains above.