You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Sean R. Owen (Jira)" <ji...@apache.org> on 2020/08/16 17:00:00 UTC
[jira] [Resolved] (SPARK-32336) 11 Critical & 4 High severity
issues in Apcahe Spark 3.0.0 - dependency libraries
[ https://issues.apache.org/jira/browse/SPARK-32336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean R. Owen resolved SPARK-32336.
----------------------------------
Resolution: Invalid
Some of these are _Spark_ CVEs that are already resolved.
Some do not seem to affect Spark.
This isn't useful to dump the output of a static checker; which if any do think affect spark and what's the resolution?
There is no further description here.
> 11 Critical & 4 High severity issues in Apcahe Spark 3.0.0 - dependency libraries
> ---------------------------------------------------------------------------------
>
> Key: SPARK-32336
> URL: https://issues.apache.org/jira/browse/SPARK-32336
> Project: Spark
> Issue Type: Bug
> Components: Build, Security
> Affects Versions: 3.0.0
> Environment: Generic Linux - but these dependencies are in the libraries that spark pulls in.
> Given that several of these are sveral yrs old, and highly severe (remote code execution is possible) these libraries are ripe for exploitation and it is highlt likly that exploits curretnly exist for these issues.
>
> Please upgrade the dependant libraries and run OWASP dependency check prior to all future releases/
> Reporter: Albert Baker
> Priority: Major
> Labels: easyfix, security
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> ||*[CVE-2018-1337|https://nvd.nist.gov/vuln/detail/CVE-2018-1337]*|In Apache Directory LDAP API before 1.0.2, - upgrade dependency to 1.0.2|
> ||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all versions of Apache Spark,|
> ||*[CVE-2017-15718|https://nvd.nist.gov/vuln/detail/CVE-2017-15718]*|The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 - upgrade lib|
> ||*[CVE-2018-21234|https://nvd.nist.gov/vuln/detail/CVE-2018-21234]*|Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.|
> ||*[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571]*|Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.|
> ||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker|
> ||*[CVE-2020-9480|https://nvd.nist.gov/vuln/detail/CVE-2020-9480]*|In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret.|
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org