FYI for the community, this is the response to the SR loaded to update the Faster-XML/Jackson-databind:
We received feedback from our engineering team regarding the issue you reported. Their response is as follows:
“We use jackson to store internal data flow metrics JSON in the Pega database. The code to serialize/deserialize metrics is not exposed to the end user. User input is not used inside the JSON, hence there is no direct way to exploit this vulnerability.”
An enhancement request will be raised to upgrade to the higher (non-vulnerable) version of Jackson Databind API in a future version as the entire platform would need to be thoroughly tested.