You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Eugene Shinn (Truveta) (Jira)" <ji...@apache.org> on 2022/07/10 23:07:00 UTC
[jira] [Created] (SPARK-39730) spark-core: sonatype-2021-1215 & sonatype-2021-1216 vulnerabilities from com.twitter:chill
Eugene Shinn (Truveta) created SPARK-39730:
----------------------------------------------
Summary: spark-core: sonatype-2021-1215 & sonatype-2021-1216 vulnerabilities from com.twitter:chill
Key: SPARK-39730
URL: https://issues.apache.org/jira/browse/SPARK-39730
Project: Spark
Issue Type: Bug
Components: Spark Core
Affects Versions: 3.3.0, 3.2.1, 3.1.3
Reporter: Eugene Shinn (Truveta)
Our static application security test showed that Spark Core has the following vulnerabilities due to a transitive dependency on com.esotericsoftware:kryo-shaded@4.0.2 via com.twitter:chill@0.10.0.
[34733 - kryo:DeserializeStringFuzzer: Uncaught exception in com.esotericsoftware.kryo.serializers.FieldSerializer.read - oss-fuzz (chromium.org)|https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34733]
[34646 - kryo:DeserializeCollectionsFuzzer: Uncaught exception with empty stacktrace - oss-fuzz (chromium.org)|https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34646]
Both vulnerabilities were addressed in kryo@5..3.0+. Once chill has been upgraded ([Upgrade com.esotericsoftware:kryo-shaded:jar:4.0.2 to avoid security risk · Issue #665 · twitter/chill (github.com)|https://github.com/twitter/chill/issues/665]), Spark Core should be updated as well.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org