You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spark.apache.org by Pralabh Kumar <pr...@gmail.com> on 2022/05/04 15:45:37 UTC

CVE-2021-22569

Hi Dev Team

Spark is using protobuf 2.5.0 which is vulnerable to CVE-2021-22569. CVE
recommends to use protobuf 3.19.2

Please let me know , if there is a jira to track the update w.r.t CVE and
Spark or should I create the one ?

Regards
Pralabh Kumar

Re: CVE-2021-22569

Posted by Sean Owen <sr...@gmail.com>.

Sure, did you search the JIRA?
https://issues.apache.org/jira/browse/SPARK-38340

Does this affect Spark's usage of protobuf?

Looks like it can't be updated to 3.x -- this is really not a dependency of
Spark but underlying dependencies.
Feel free to re-attempt a change that might work, at least with Hadoop 3 if
possible.

On Wed, May 4, 2022 at 10:46 AM Pralabh Kumar <pr...@gmail.com>
wrote:

> Hi Dev Team
>
> Spark is using protobuf 2.5.0 which is vulnerable to CVE-2021-22569. CVE
> recommends to use protobuf 3.19.2
>
> Please let me know , if there is a jira to track the update w.r.t CVE and
> Spark or should I create the one ?
>
> Regards
> Pralabh Kumar
>