You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Hyukjin Kwon (Jira)" <ji...@apache.org> on 2021/09/26 03:54:00 UTC
[jira] [Commented] (SPARK-36826) CVEs in libraries used in bundled
jars
[ https://issues.apache.org/jira/browse/SPARK-36826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17420201#comment-17420201 ]
Hyukjin Kwon commented on SPARK-36826:
--------------------------------------
cc [~srowen] fyi
> CVEs in libraries used in bundled jars
> --------------------------------------
>
> Key: SPARK-36826
> URL: https://issues.apache.org/jira/browse/SPARK-36826
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 3.1.2
> Reporter: Carlos RodrÃguez Hernández
> Priority: Major
>
> Hi, I found several CVEs in dependency libraries bundled in the _aws-java-sdk-bundle_ jar.
> We are using Spark 3.1.2, which bundles _hadoop-*_ jars version 3.2.0:
> {code:bash}
> $ curl -JLO "https://ftp.cixug.es/apache/spark/spark-3.1.2/spark-3.1.2-bin-hadoop3.2.tgz"
> $ tar xzf spark-3.1.2-bin-hadoop3.2.tgz
> $ find spark-3.1.2-bin-hadoop3.2/jars -wholename '*/hadoop-*'
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-client-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-mapreduce-client-core-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-common-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-mapreduce-client-jobclient-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-auth-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-server-common-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-api-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-registry-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-annotations-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-client-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-hdfs-client-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-mapreduce-client-common-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-common-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-server-web-proxy-3.2.0.jar
> {code}
> There is a dependency between _hadoop-aws_, _hadoop-common_, and _hadoop-project_ versions, as well, the _aws-java-sdk_ one should match the required by _hadoop-project_, due to this dependencies we are including _hadoop-aws-3.2.0_ and _aws-java-sdk-bundle-1.11.375_:
> {code:bash}
> $ find spark-3.1.2-bin-hadoop3.2/jars -wholename
> spark-3.1.2-bin-hadoop3.2/jars/hadoop-aws-3.2.0.jar
> spark-3.1.2-bin-hadoop3.2/jars/aws-java-sdk-bundle-1.11.375.jar
> {code}
> Taking a look at the _hadoop-project_ pom, the _aws-java-sdk_ version is the correct one:
> {code:bash}
> $ curl -JLO "https://repo1.maven.org/maven2/org/apache/hadoop/hadoop-project/3.2.0/hadoop-project-3.2.0.pom"
> $ cat hadoop-project-3.2.0.pom | grep aws-java-sdk
> <aws-java-sdk.version>1.11.375</aws-java-sdk.version>
> <artifactId>aws-java-sdk-bundle</artifactId>
> <version>${aws-java-sdk.version}</version>
> {code}
> Do you think it would be possible to update the versions of the jars to solve the vulnerabilities?
> ----
> Please see below the CVE report for _jars/aws-java-sdk-bundle-1.11.375.jar_:
> ||LIBRARY||VULNERABILITY ID||SEVERITY||INSTALLED VERSION||FIXED VERSION||TITLE||
> |com.fasterxml.jackson.core:jackson-databind|CVE-2017-15095|CRITICAL|2.6.7.1|2.9.4, 2.8.11|jackson-databind: Unsafe|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2017-17485|CRITICAL|2.6.7.1|2.8.11, 2.9.4|jackson-databind: Unsafe|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-11307|CRITICAL|2.6.7.1|2.8.11.2, 2.7.9.4, 2.9.6|jackson-databind: Potential|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14718|CRITICAL|2.6.7.1|2.7.9.5, 2.8.11.3, 2.9.7|jackson-databind: arbitrary code|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14719|CRITICAL|2.6.7.1|2.7.9.5, 2.8.11.3, 2.9.7|jackson-databind: arbitrary|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14720|CRITICAL|2.6.7.1|2.6.7.2, 2.9.7|jackson-databind: exfiltration/XXE|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14721|CRITICAL|2.6.7.1|2.6.7.2, 2.9.7|jackson-databind: server-side request|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-19360|CRITICAL|2.6.7.1|2.6.7.3, 2.7.9.5, 2.8.11.3|jackson-databind: improper|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-19361|CRITICAL|2.6.7.1|2.6.7.3, 2.7.9.5, 2.8.11.3|jackson-databind: improper|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-19362|CRITICAL|2.6.7.1|2.6.7.3, 2.7.9.5, 2.8.11.3|jackson-databind: improper|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-7489|CRITICAL|2.6.7.1|2.8.11.1, 2.9.5|jackson-databind: incomplete fix|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14379|CRITICAL|2.6.7.1|2.9.9.2|jackson-databind: default|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14540|CRITICAL|2.6.7.1|2.9.10|jackson-databind:|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14892|CRITICAL|2.6.7.1|2.9.10, 2.8.11.5, 2.6.7.3|jackson-databind: Serialization|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14893|CRITICAL|2.6.7.1|2.8.11.5, 2.9.10|jackson-databind:|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-16335|CRITICAL|2.6.7.1|2.9.10|jackson-databind:|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-16942|CRITICAL|2.6.7.1|2.9.10.1|jackson-databind:|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-16943|CRITICAL|2.6.7.1|2.9.10.1|jackson-databind:|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-17267|CRITICAL|2.6.7.1|2.9.10|jackson-databind: Serialization|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-17531|CRITICAL|2.6.7.1|2.9.10.1|jackson-databind:|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-20330|CRITICAL|2.6.7.1|2.9.10.2, 2.8.11.5|jackson-databind: lacks|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2020-8840|CRITICAL|2.6.7.1|2.9.10.3, 2.8.11.5|jackson-databind: Lacks certain|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2020-9547|CRITICAL|2.6.7.1|2.9.10.4|jackson-databind: Serialization|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2020-9548|CRITICAL|2.6.7.1|2.9.10.4|jackson-databind: Serialization|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-12022|HIGH|2.6.7.1|2.8.11.2, 2.7.9.4, 2.9.6|jackson-databind: improper|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-5968|HIGH|2.6.7.1|2.9.4, 2.8.11|jackson-databind: unsafe|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-12086|HIGH|2.6.7.1|2.9.9|jackson-databind: polymorphic|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14439|HIGH|2.6.7.1|2.9.9.2|jackson-databind: Polymorphic|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2020-10673|HIGH|2.6.7.1|2.9.10.4|jackson-databind: mishandles|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2020-25649|HIGH|2.6.7.1|2.10.5.1, 2.9.10.7, 2.6.7.4|jackson-databind: FasterXML|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2020-35490|HIGH|2.6.7.1|2.9.10.8|jackson-databind: mishandles the interaction|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2020-35491|HIGH|2.6.7.1|2.9.10.8|jackson-databind: mishandles the interaction|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2021-20190|HIGH|2.6.7.1|2.9.10.7|jackson-databind: mishandles|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2018-1000873|MEDIUM|2.6.7.1|2.9.8|jackson-modules-java8: DoS due|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-12384|MEDIUM|2.6.7.1|2.9.9.1|jackson-databind: failure|
> |com.fasterxml.jackson.core:jackson-databind|CVE-2019-12814|MEDIUM|2.6.7.1|2.9.9.1|jackson-databind: polymorphic|
> |io.netty:netty-codec-http|CVE-2021-21290|MEDIUM|4.1.17.Final|4.1.59.Final|netty: Information disclosure via|
> |io.netty:netty-handler|CVE-2019-20444|CRITICAL|4.1.17.Final|4.1.44|netty: HTTP request smuggling|
> |io.netty:netty-handler|CVE-2019-20445|CRITICAL|4.1.17.Final|4.1.45|netty: HttpObjectDecoder.java allows|
> |io.netty:netty-handler|CVE-2020-11612|HIGH|4.1.17.Final|4.1.46|netty: compression/decompression|
> |org.apache.httpcomponents:httpclient|CVE-2020-13956|MEDIUM|4.5.5|5.0.3, 4.5.13|apache-httpclient: incorrect|
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org