You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dhaval Shewale (Jira)" <ji...@apache.org> on 2022/02/18 18:06:00 UTC
[jira] [Updated] (SPARK-38252) Upgrade Dependencies in spark-sql library
[ https://issues.apache.org/jira/browse/SPARK-38252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dhaval Shewale updated SPARK-38252:
-----------------------------------
Description:
There are numerous vulnerabilities in *spark-sql* Java API.
Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.
+*Dependency*+
{quote}{{<dependency>}}
{{ <groupId>org.apache.spark</groupId>}}
{{ <artifactId>spark-sql_2.13</artifactId>}}
{{ <version>3.2.1</version>}}
{{</dependency>}}
{quote}
+*Vulnerabilities*+
{quote}{{*---------------------------------------------------------*}}
{{| SEVERITY | LIBRARY | ID |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35515 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35516 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35517 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-36090 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | gson-2.8.6.jar | WS-2021-0419 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | netty-all-4.1.68.Final.jar | WS-2020-0408 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | jackson-core-2.12.3.jar | WS-2021-0616 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | jackson-databind-2.12.3.jar | WS-2021-0616 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | netty-all-4.1.68.Final.jar | CVE-2021-43797 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | protobuf-java-2.5.0.jar | CVE-2021-22569 |}}
{{|----------|-----------------------------|----------------|}}
{{| LOW | log4j-1.2.17.jar | CVE-2020-9488 |}}
{{*---------------------------------------------------------*}}{quote}
was:
There are numerous vulnerabilities in *spark-sql* Java API.
Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.
+*Dependency*+
{quote}{{<dependency>}}
{{ <groupId>org.apache.spark</groupId>}}
{{ <artifactId>spark-sql_2.13</artifactId>}}
{{ <version>3.2.1</version>}}
{{</dependency>}}
{quote}
+*Vulnerabilities*+
{quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
{{*---------------------------------------------------------*}}
{{| SEVERITY | LIBRARY | ID |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35515 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35516 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35517 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-36090 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | gson-2.8.6.jar | WS-2021-0419 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | netty-all-4.1.68.Final.jar | WS-2020-0408 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | jackson-core-2.12.3.jar | WS-2021-0616 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | jackson-databind-2.12.3.jar | WS-2021-0616 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | netty-all-4.1.68.Final.jar | CVE-2021-43797 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | protobuf-java-2.5.0.jar | CVE-2021-22569 |}}
{{|----------|-----------------------------|----------------|}}
{{| LOW | log4j-1.2.17.jar | CVE-2020-9488 |}}
{{*---------------------------------------------------------*}}
{quote}
> Upgrade Dependencies in spark-sql library
> -----------------------------------------
>
> Key: SPARK-38252
> URL: https://issues.apache.org/jira/browse/SPARK-38252
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Java API
> Affects Versions: 3.2.1
> Reporter: Dhaval Shewale
> Priority: Major
>
> There are numerous vulnerabilities in *spark-sql* Java API.
> Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.
>
> +*Dependency*+
> {quote}{{<dependency>}}
> {{ <groupId>org.apache.spark</groupId>}}
> {{ <artifactId>spark-sql_2.13</artifactId>}}
> {{ <version>3.2.1</version>}}
> {{</dependency>}}
> {quote}
>
> +*Vulnerabilities*+
> {quote}{{*---------------------------------------------------------*}}
> {{| SEVERITY | LIBRARY | ID |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35515 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35516 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35517 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-36090 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | gson-2.8.6.jar | WS-2021-0419 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| HIGH | netty-all-4.1.68.Final.jar | WS-2020-0408 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| MEDIUM | jackson-core-2.12.3.jar | WS-2021-0616 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| MEDIUM | jackson-databind-2.12.3.jar | WS-2021-0616 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| MEDIUM | netty-all-4.1.68.Final.jar | CVE-2021-43797 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| MEDIUM | protobuf-java-2.5.0.jar | CVE-2021-22569 |}}
> {{|----------|-----------------------------|----------------|}}
> {{| LOW | log4j-1.2.17.jar | CVE-2020-9488 |}}
> {{*---------------------------------------------------------*}}{quote}
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org