You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2022/10/25 22:22:00 UTC

[jira] [Resolved] (SPARK-40908) need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version

     [ https://issues.apache.org/jira/browse/SPARK-40908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dongjoon Hyun resolved SPARK-40908.
-----------------------------------
    Resolution: Invalid

Hi, [~rajesh.katkar] . 

1. Apache JIRA is not a good place for Q&A. Please use dev mailing list for questions next time.

2. We cannot change anything for the released artifacts. We only discuss about the next releases.

3. Lastly, as you described in the PR description, EOL is literally EOL. There is no much things for the community to do.

Please use Apache Spark 3.3.1 which is released Today.

> need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version
> ---------------------------------------------------------------------
>
>                 Key: SPARK-40908
>                 URL: https://issues.apache.org/jira/browse/SPARK-40908
>             Project: Spark
>          Issue Type: Question
>          Components: Spark Core
>    Affects Versions: 3.0.0
>            Reporter: Rajesh
>            Priority: Major
>              Labels: SECURITY, security
>
> Hi Spark team,
>  
> [~dongjoon]  [~bjornjorgensen] 
>  
>  
> We are using spark 3.0.0 on AWS EMR service to run our spark jobs. 
> spark-core_2.12:3.0.0  has transitive dependency on commons-text 1.6 and this is flagged as critical severity CVE-2022-42889.
> As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is released.
> We are dependent on AWS EMR service and changing EMR version and spark version is big task for us considering all downstream dependent applications
> We know spark 3.0.0 is EOL for you but would really appreciate if could provide guidance on it.
> We have few queries and need inputs from spark dev team to handle this issue on priority at our end 
>  
>  
>  * Does spark-core 3.0.0 use StringSubstitutor API and {*}do we need to worry about this{*}?
>  * which lib or code within spark core 3.0.0 triggers StringSubstitutor  method ?
>  * I searched for spark source code for usage of StringSubstitutor  and found one reference here [https://github.com/apache/spark/blob/master/core/src/main/scala/org/apache/spark/ErrorClassesJSONReader.scala] in master branch but this class  is not available in spark 3.0.0 tags. As per link - [https://blogs.apache.org/security/entry/cve-2022-42889] , If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: you are only affected when this software uses the {{StringSubstitutor}} API without properly sanitizing any untrusted input.
>  *  *Please confirm if spark 3.0.0 does not use {{StringSubstitutor}} API from commons-text but just have dependency marked in POM* [https://github.com/apache/spark/blob/3fdfce3120f307147244e5eaf46d61419a723d50/pom.xml#L506]  for other API use from commons-text?
>  * in case , can we include the apache commons text 1.10.0 as explicit dependency on our applications POMs and add common text 1.6 in exclusions for spark-core , will it work ?
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org