You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dhaval Shewale (Jira)" <ji...@apache.org> on 2022/02/18 18:05:00 UTC

[jira] [Created] (SPARK-38252) Upgrade Dependencies in spark-sql library

Dhaval Shewale created SPARK-38252:
--------------------------------------

             Summary: Upgrade Dependencies in spark-sql library
                 Key: SPARK-38252
                 URL: https://issues.apache.org/jira/browse/SPARK-38252
             Project: Spark
          Issue Type: Dependency upgrade
          Components: Java API
    Affects Versions: 3.2.1
            Reporter: Dhaval Shewale


There are numerous vulnerabilities in *spark-sql* Java API.

Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.

 

+*Dependency*+
{quote}{{<dependency>}}
{{  <groupId>org.apache.spark</groupId>}}
{{  <artifactId>spark-sql_2.13</artifactId>}}
{{  <version>3.2.1</version>}}
{{</dependency>}}
{quote}
 

+*Vulnerabilities*+
{quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
{{*---------------------------------------------------------*}}
{{| SEVERITY | LIBRARY                     | ID             |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | commons-compress-1.20.jar   | CVE-2021-35515 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | commons-compress-1.20.jar   | CVE-2021-35516 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | commons-compress-1.20.jar   | CVE-2021-35517 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | commons-compress-1.20.jar   | CVE-2021-36090 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | gson-2.8.6.jar              | WS-2021-0419   |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | log4j-1.2.17.jar            | CVE-2019-17571 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | log4j-1.2.17.jar            | CVE-2020-9493  |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | log4j-1.2.17.jar            | CVE-2021-4104  |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | log4j-1.2.17.jar            | CVE-2022-23302 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | log4j-1.2.17.jar            | CVE-2022-23305 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | log4j-1.2.17.jar            | CVE-2022-23307 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH     | netty-all-4.1.68.Final.jar  | WS-2020-0408   |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM   | jackson-core-2.12.3.jar     | WS-2021-0616   |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM   | jackson-databind-2.12.3.jar | WS-2021-0616   |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM   | netty-all-4.1.68.Final.jar  | CVE-2021-43797 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM   | protobuf-java-2.5.0.jar     | CVE-2021-22569 |}}
{{|----------|-----------------------------|----------------|}}
{{| LOW      | log4j-1.2.17.jar            | CVE-2020-9488  |}}
{{*---------------------------------------------------------*}}
{quote}
 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org