[BugFix][CVE] bump jackson-databind to 2.21.4

[kevincai]

Bump the jackson family (jackson.version) from 2.21.1 to 2.21.4 across fe/, java-extensions/, and fs_brokers/ to remediate two jackson-databind deserialization vulnerabilities.

• CVE-2026-54512: com.fasterxml.jackson.core:jackson-databind, affected

  = 2.10.0 < 2.21.4 (2.21.x line), fixed in 2.21.4. A class can be
  smuggled past a PolymorphicTypeValidator allow-list as a generic type argument and instantiated during deserialization (RCE).

• CVE-2026-54513: com.fasterxml.jackson.core:jackson-databind, affected

  = 2.10.0 < 2.21.4 (2.21.x line), fixed in 2.21.4. CWE-184: the
  BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() path inadequately validates array component types, bypassing the allow-list.

jackson-databind ships directly in fe/ and is also pulled in transitively via the Hadoop/Hive/Iceberg/Paimon/Kudu/Hudi ecosystem in java-extensions/ and fs_brokers/. All trees route jackson-core / jackson-databind / jackson-dataformat-yaml / jackson-module-jaxb-annotations through the shared ${jackson.version} property in dependencyManagement (Maven) and constraints (Gradle), so the single property bump forces the patched version everywhere, including transitive pulls.

jackson-annotations.version stays at 2.21 (it has no 2.21.4 release and is not affected by these CVEs).

Why I'm doing:

What I'm doing:

Fixes #issue

What type of PR is this:

• BugFix
• Feature
• Enhancement
• Refactor
• UT
• Doc
• Tool

Does this PR entail a change in behavior?

• Yes, this PR will result in a change in behavior.
• No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

• Interface/UI changes: syntax, type conversion, expression evaluation, display information
• Parameter changes: default values, similar parameters but with different default values
• Policy changes: use new policy to replace old one, functionality automatically enabled
• Feature removed
• Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

• I have added test cases for my bug fix or my new feature
• This pr needs user documentation (for new or modified features or behaviors)
  • I have added documentation for my new feature or new function
  • This pr needs auto generate documentation
• This is a backport pr

Bugfix cherry-pick branch check:

• I have checked the version labels which the pr will be auto-backported to the target branch
  • 4.1
  • 4.0
  • 3.5

[CelerData-Reviewer]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Swish!

Reviewed commit: 3d83483dab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[github-actions]

[Java-Extensions Incremental Coverage Report]

✅ pass : 0 / 0 (0%)

[github-actions]

[FE Incremental Coverage Report]

✅ pass : 0 / 0 (0%)

[github-actions]

[BE Incremental Coverage Report]

✅ pass : 0 / 0 (0%)

[github-actions]

@Mergifyio backport branch-4.1

[github-actions]

@Mergifyio backport branch-3.5

[github-actions]

@Mergifyio backport branch-4.0

[mergify]

backport branch-4.1

✅ Backports have been created

Details

• #75377 [BugFix][CVE] bump jackson-databind to 2.21.4 (backport #75373) has been created for branch branch-4.1

[mergify]

backport branch-3.5

✅ Backports have been created

Details

• #75378 [BugFix][CVE] bump jackson-databind to 2.21.4 (backport #75373) has been created for branch branch-3.5

[mergify]

backport branch-4.0

✅ Backports have been created

Details

• #75379 [BugFix][CVE] bump jackson-databind to 2.21.4 (backport #75373) has been created for branch branch-4.0