The CVE-2017-7525 was reported some time ago : https://github.com/FasterXML/jackson-databind/issues/1723.
The vulnerability is found in multiple versions of jackson-databind.
Since jackson-databind is a direct dependecy of Spark and other bigdata Apache projects, these projects are surely impacted by this vulnerability.
Did you evaluate the security exposure of this vulnerability on CDH ? Was it fixed in new minor versions ?