Is it possible to release an updated version of the SDK which uses latest jackson-databind which does not have vulnerabilities?

The latest version of CCS SDK ships with jackson-databind-2.5.5.jar
I have found that upgrading to jackson-databind-2.6.7.5.jar still works, but this is still a very old version and also has a long list of vulnerabilities.
Upgrading any further results in ccs-api.jar not functioning anymore.

Latest version of jackson-databind is: jackson-databind-2.16.1.jar

Is there any hope???

Greg.

Avaya is refusing to update product SDK which has 47 security vulnerabilities.

Recommend to move away from Avaya contact center solutions.

jackson-databind vulnerabilities

CVE-2017-17485
CVE-2018-11307
CVE-2018-14719
CVE-2018-7489
CVE-2019-14379
CVE-2019-16942
CVE-2019-17267
CVE-2020-9547
CVE-2020-9548
CVE-2018-12022
CVE-2018-5968
CVE-2019-12086
CVE-2020-10650
CVE-2020-24616
CVE-2020-35490
CVE-2020-35491
CVE-2020-35728
CVE-2020-36184
CVE-2020-36185
CVE-2020-36186
CVE-2020-36187
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004

This item has been escalated with both Avaya Product Management and Avaya Engineering, and the issue is being reviewed. The AACC Product Manager should be reaching out to you directly as well.

Following Avaya procedures, we'll publish updates via our Product Support Notice process in due course, and once available, we'll provide an update here as well.

Jon Alperin,
Managing Director, DevConnect

I'm Martin Walker, product manager for Avaya Aura Contact Center.

I've discussed with Engineering and Avaya is reviewing the issue.

@ Gregory Knott, we will be in contact with you directly.

And following normal procedures, we'll publish updates via Product Support Notice process in due course.