You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Eugene Shinn (Truveta) (Jira)" <ji...@apache.org> on 2022/07/10 23:07:00 UTC

[jira] [Created] (SPARK-39730) spark-core: sonatype-2021-1215 & sonatype-2021-1216 vulnerabilities from com.twitter:chill

Eugene Shinn (Truveta) created SPARK-39730:
----------------------------------------------

             Summary: spark-core: sonatype-2021-1215 & sonatype-2021-1216 vulnerabilities from com.twitter:chill
                 Key: SPARK-39730
                 URL: https://issues.apache.org/jira/browse/SPARK-39730
             Project: Spark
          Issue Type: Bug
          Components: Spark Core
    Affects Versions: 3.3.0, 3.2.1, 3.1.3
            Reporter: Eugene Shinn (Truveta)


Our static application security test showed that Spark Core has the following vulnerabilities due to a transitive dependency on com.esotericsoftware:kryo-shaded@4.0.2 via com.twitter:chill@0.10.0.

[34733 - kryo:DeserializeStringFuzzer: Uncaught exception in com.esotericsoftware.kryo.serializers.FieldSerializer.read - oss-fuzz (chromium.org)|https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34733]

[34646 - kryo:DeserializeCollectionsFuzzer: Uncaught exception with empty stacktrace - oss-fuzz (chromium.org)|https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34646]

Both vulnerabilities were addressed in kryo@5..3.0+. Once chill has been upgraded ([Upgrade com.esotericsoftware:kryo-shaded:jar:4.0.2 to avoid security risk · Issue #665 · twitter/chill (github.com)|https://github.com/twitter/chill/issues/665]), Spark Core should be updated as well. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org