You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@spark.apache.org by "Haibo.Wang@morganstanley.com" <Ha...@morganstanley.com> on 2022/12/14 09:00:23 UTC
[Spark vulnerability] replace jackson-mapper-asl
Hi All
Hope you are doing well.
Writing this email for an vulnerable issue: CVE-2018-14721
apache/spark-py: gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 <= Version <= 1.9.13
We are trying to bring in above image into our firm, but due to the vulnerable issue, pyspark is not allowed, understand the version was stopped maintaining in 2013, wondering any plan to replace the Jackson-mapper-asl or any workaround? thanks
Regards
Harper Wang
Morgan Stanley | Corporate & Funding Technology
Kerry Parkside | 1155 Fang Dian Road, Pudong New Area
201204 Shanghai
Haibo.Wang@morganstanley.com<ma...@morganstanley.com>
________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
Re: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
Posted by Sean Owen <sr...@gmail.com>.
Please read the CVE you mention. It is not a CVE about the library you are
referencing.
https://nvd.nist.gov/vuln/detail/CVE-2018-14721
On Thu, Dec 15, 2022 at 7:52 PM Haibo.Wang@morganstanley.com <
Haibo.Wang@morganstanley.com> wrote:
> Hi Owen
>
>
>
> As confirmed with our firm appsec team, given the library is still being
> used in spark3.3.1. Also I can see the dependency as below:
>
> https://github.com/apache/spark/blob/v3.3.1/pom.xml#L1784
>
>
>
> Something misunderstanding? appreciate if you could clarify more, thanks.
>
>
>
> Regards
>
> Harper
>
>
>
> *From:* Sean Owen <sr...@gmail.com>
> *Sent:* Wednesday, December 14, 2022 10:27 PM
> *To:* Wang, Harper (FRPPE) <Ha...@morganstanley.com>
> *Cc:* user@spark.apache.org
> *Subject:* Re: [EXTERNAL] Re: [Spark vulnerability] replace
> jackson-mapper-asl
>
>
>
> The CVE you mention seems to affect jackson-databind, not
> jackson-mapper-asl. 3.3.1 already uses databind 2.13.x which is not
> affected.
>
>
>
> On Wed, Dec 14, 2022 at 8:20 AM Haibo.Wang@morganstanley.com <
> Haibo.Wang@morganstanley.com> wrote:
>
> Thanks Owen for prompt response
>
> sorry, forgot to mention, it’s latest spark version 3.3.1
>
> Both below spark-py image or pypi are good to use for us, but both have
> same Jackson-mapper-asl dependencies.
>
>
>
>
> https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore
>
> https://pypi.org/project/pyspark/
>
>
>
> Regards
>
> Harper
>
>
>
>
>
> *From:* Sean Owen <sr...@gmail.com>
> *Sent:* Wednesday, December 14, 2022 9:32 PM
> *To:* Wang, Harper (FRPPE) <Ha...@morganstanley.com>
> *Cc:* user@spark.apache.org
> *Subject:* [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
>
>
>
> What Spark version are you referring to? If it's an unsupported version,
> no, no plans to update it.
>
> What image are you referring to?
>
>
>
> On Wed, Dec 14, 2022 at 7:14 AM Haibo.Wang@morganstanley.com <
> Haibo.Wang@morganstanley.com> wrote:
>
> Hi All
>
>
>
> Hope you are doing well.
>
>
>
> Writing this email for an vulnerable issue: CVE-2018-14721
>
> apache/spark-py:
> gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0
> <= Version <= 1.9.13
>
>
>
> We are trying to bring in above image into our firm, but due to the
> vulnerable issue, pyspark is not allowed, understand the version was
> stopped maintaining in 2013, wondering any plan to replace the
> Jackson-mapper-asl or any workaround? thanks
>
>
>
> Regards
>
> Harper Wang
>
> *Morgan Stanley | Corporate & Funding Technology *Kerry Parkside |
> 1155 Fang Dian Road, Pudong New Area
> 201204 Shanghai
> Haibo.Wang@morganstanley.com
>
>
>
> ------------------------------
>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. By communicating with Morgan
> Stanley you acknowledge that you have read, understand and consent, (where
> applicable), to the Morgan Stanley General Disclaimers found at
> http://www.morganstanley.com/disclaimers/terms. The entire content of
> this email message and any files attached to it may be sensitive,
> confidential, subject to legal privilege and/or otherwise protected from
> disclosure.
>
>
> ------------------------------
>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. By communicating with Morgan
> Stanley you acknowledge that you have read, understand and consent, (where
> applicable), to the Morgan Stanley General Disclaimers found at
> http://www.morganstanley.com/disclaimers/terms. The entire content of
> this email message and any files attached to it may be sensitive,
> confidential, subject to legal privilege and/or otherwise protected from
> disclosure.
>
>
> ------------------------------
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. By communicating with Morgan
> Stanley you acknowledge that you have read, understand and consent, (where
> applicable), to the Morgan Stanley General Disclaimers found at
> http://www.morganstanley.com/disclaimers/terms. The entire content of
> this email message and any files attached to it may be sensitive,
> confidential, subject to legal privilege and/or otherwise protected from
> disclosure.
>
>
RE: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
Posted by "Haibo.Wang@morganstanley.com" <Ha...@morganstanley.com>.
Hi Owen
As confirmed with our firm appsec team, given the library is still being used in spark3.3.1. Also I can see the dependency as below:
https://github.com/apache/spark/blob/v3.3.1/pom.xml#L1784
Something misunderstanding? appreciate if you could clarify more, thanks.
Regards
Harper
From: Sean Owen <sr...@gmail.com>
Sent: Wednesday, December 14, 2022 10:27 PM
To: Wang, Harper (FRPPE) <Ha...@morganstanley.com>
Cc: user@spark.apache.org
Subject: Re: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
The CVE you mention seems to affect jackson-databind, not jackson-mapper-asl. 3.3.1 already uses databind 2.13.x which is not affected.
On Wed, Dec 14, 2022 at 8:20 AM Haibo.Wang@morganstanley.com<ma...@morganstanley.com> <Ha...@morganstanley.com>> wrote:
Thanks Owen for prompt response
sorry, forgot to mention, it’s latest spark version 3.3.1
Both below spark-py image or pypi are good to use for us, but both have same Jackson-mapper-asl dependencies.
https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore
https://pypi.org/project/pyspark/
Regards
Harper
From: Sean Owen <sr...@gmail.com>>
Sent: Wednesday, December 14, 2022 9:32 PM
To: Wang, Harper (FRPPE) <Ha...@morganstanley.com>>
Cc: user@spark.apache.org<ma...@spark.apache.org>
Subject: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
What Spark version are you referring to? If it's an unsupported version, no, no plans to update it.
What image are you referring to?
On Wed, Dec 14, 2022 at 7:14 AM Haibo.Wang@morganstanley.com<ma...@morganstanley.com> <Ha...@morganstanley.com>> wrote:
Hi All
Hope you are doing well.
Writing this email for an vulnerable issue: CVE-2018-14721
apache/spark-py: gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 <= Version <= 1.9.13
We are trying to bring in above image into our firm, but due to the vulnerable issue, pyspark is not allowed, understand the version was stopped maintaining in 2013, wondering any plan to replace the Jackson-mapper-asl or any workaround? thanks
Regards
Harper Wang
Morgan Stanley | Corporate & Funding Technology
Kerry Parkside | 1155 Fang Dian Road, Pudong New Area
201204 Shanghai
Haibo.Wang@morganstanley.com<ma...@morganstanley.com>
________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
Re: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
Posted by Sean Owen <sr...@gmail.com>.
The CVE you mention seems to affect jackson-databind, not
jackson-mapper-asl. 3.3.1 already uses databind 2.13.x which is not
affected.
On Wed, Dec 14, 2022 at 8:20 AM Haibo.Wang@morganstanley.com <
Haibo.Wang@morganstanley.com> wrote:
> Thanks Owen for prompt response
>
> sorry, forgot to mention, it’s latest spark version 3.3.1
>
> Both below spark-py image or pypi are good to use for us, but both have
> same Jackson-mapper-asl dependencies.
>
>
>
>
> https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore
>
> https://pypi.org/project/pyspark/
>
>
>
> Regards
>
> Harper
>
>
>
>
>
> *From:* Sean Owen <sr...@gmail.com>
> *Sent:* Wednesday, December 14, 2022 9:32 PM
> *To:* Wang, Harper (FRPPE) <Ha...@morganstanley.com>
> *Cc:* user@spark.apache.org
> *Subject:* [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
>
>
>
> What Spark version are you referring to? If it's an unsupported version,
> no, no plans to update it.
>
> What image are you referring to?
>
>
>
> On Wed, Dec 14, 2022 at 7:14 AM Haibo.Wang@morganstanley.com <
> Haibo.Wang@morganstanley.com> wrote:
>
> Hi All
>
>
>
> Hope you are doing well.
>
>
>
> Writing this email for an vulnerable issue: CVE-2018-14721
>
> apache/spark-py:
> gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0
> <= Version <= 1.9.13
>
>
>
> We are trying to bring in above image into our firm, but due to the
> vulnerable issue, pyspark is not allowed, understand the version was
> stopped maintaining in 2013, wondering any plan to replace the
> Jackson-mapper-asl or any workaround? thanks
>
>
>
> Regards
>
> Harper Wang
>
> *Morgan Stanley | Corporate & Funding Technology *Kerry Parkside |
> 1155 Fang Dian Road, Pudong New Area
> 201204 Shanghai
> Haibo.Wang@morganstanley.com
>
>
>
> ------------------------------
>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. By communicating with Morgan
> Stanley you acknowledge that you have read, understand and consent, (where
> applicable), to the Morgan Stanley General Disclaimers found at
> http://www.morganstanley.com/disclaimers/terms. The entire content of
> this email message and any files attached to it may be sensitive,
> confidential, subject to legal privilege and/or otherwise protected from
> disclosure.
>
>
> ------------------------------
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. By communicating with Morgan
> Stanley you acknowledge that you have read, understand and consent, (where
> applicable), to the Morgan Stanley General Disclaimers found at
> http://www.morganstanley.com/disclaimers/terms. The entire content of
> this email message and any files attached to it may be sensitive,
> confidential, subject to legal privilege and/or otherwise protected from
> disclosure.
>
>
RE: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
Posted by "Haibo.Wang@morganstanley.com" <Ha...@morganstanley.com>.
Thanks Owen for prompt response
sorry, forgot to mention, it’s latest spark version 3.3.1
Both below spark-py image or pypi are good to use for us, but both have same Jackson-mapper-asl dependencies.
https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore
https://pypi.org/project/pyspark/
Regards
Harper
From: Sean Owen <sr...@gmail.com>
Sent: Wednesday, December 14, 2022 9:32 PM
To: Wang, Harper (FRPPE) <Ha...@morganstanley.com>
Cc: user@spark.apache.org
Subject: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
What Spark version are you referring to? If it's an unsupported version, no, no plans to update it.
What image are you referring to?
On Wed, Dec 14, 2022 at 7:14 AM Haibo.Wang@morganstanley.com<ma...@morganstanley.com> <Ha...@morganstanley.com>> wrote:
Hi All
Hope you are doing well.
Writing this email for an vulnerable issue: CVE-2018-14721
apache/spark-py: gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 <= Version <= 1.9.13
We are trying to bring in above image into our firm, but due to the vulnerable issue, pyspark is not allowed, understand the version was stopped maintaining in 2013, wondering any plan to replace the Jackson-mapper-asl or any workaround? thanks
Regards
Harper Wang
Morgan Stanley | Corporate & Funding Technology
Kerry Parkside | 1155 Fang Dian Road, Pudong New Area
201204 Shanghai
Haibo.Wang@morganstanley.com<ma...@morganstanley.com>
________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
Re: [Spark vulnerability] replace jackson-mapper-asl
Posted by Sean Owen <sr...@gmail.com>.
What Spark version are you referring to? If it's an unsupported version,
no, no plans to update it.
What image are you referring to?
On Wed, Dec 14, 2022 at 7:14 AM Haibo.Wang@morganstanley.com <
Haibo.Wang@morganstanley.com> wrote:
> Hi All
>
>
>
> Hope you are doing well.
>
>
>
> Writing this email for an vulnerable issue: CVE-2018-14721
>
> apache/spark-py:
> gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0
> <= Version <= 1.9.13
>
>
>
> We are trying to bring in above image into our firm, but due to the
> vulnerable issue, pyspark is not allowed, understand the version was
> stopped maintaining in 2013, wondering any plan to replace the
> Jackson-mapper-asl or any workaround? thanks
>
>
>
> Regards
>
> Harper Wang
>
> *Morgan Stanley | Corporate & Funding Technology *Kerry Parkside |
> 1155 Fang Dian Road, Pudong New Area
> 201204 Shanghai
> Haibo.Wang@morganstanley.com
>
>
> ------------------------------
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. By communicating with Morgan
> Stanley you acknowledge that you have read, understand and consent, (where
> applicable), to the Morgan Stanley General Disclaimers found at
> http://www.morganstanley.com/disclaimers/terms. The entire content of
> this email message and any files attached to it may be sensitive,
> confidential, subject to legal privilege and/or otherwise protected from
> disclosure.
>
>