There was a security vulnerability recently reported to the upstream jackson-databind project at https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix released.
From my reading of that, versions 220.127.116.11, 18.104.22.168, and 2.9.0.pr3 are the first fixed versions in their respectful 2.X branches, and versions in the 2.6.X line and earlier remain vulnerable. UPDATE: now the 2.6.X line has a patch as well: 22.214.171.124 as mentioned at https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-315486340
Right now Spark master branch is on 2.6.5: https://github.com/apache/spark/blob/master/pom.xml#L164
and Hadoop branch-2.7 is on 2.2.3: https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71
and Hadoop branch-3.0.0-alpha2 is on 2.7.8: https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74
We should bump Spark from 2.6.5 to 126.96.36.199 to get a patched version of this library for the next Spark release.