You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Madhusudan N (JIRA)" <ji...@apache.org> on 2018/09/18 14:00:00 UTC

[jira] [Created] (SPARK-25455) Spark bundles jackson library version, which is vulnerable

Madhusudan N created SPARK-25455:
------------------------------------

             Summary: Spark bundles jackson library version, which is vulnerable 
                 Key: SPARK-25455
                 URL: https://issues.apache.org/jira/browse/SPARK-25455
             Project: Spark
          Issue Type: Bug
          Components: Spark Core
    Affects Versions: 2.3.1, 2.2.0
            Reporter: Madhusudan N


We have hosted one of our application in SPARK standalone mode and the application has the below jackson library dependencies.

Version = 2.9.6
 * jackson-core
 * jackson-databind
 * jackson-dataformat-cbor
 * jackson-dataformat-xml
 * jackson-dataformat-yaml

 

 Due to a vulnerability with jackson 2.6.6 as indicated by the Veracode, it has been upgraded to 2.9.6 version.

Please find the link which depicts the vulnerability issue with jackson 2.6.6.
[http://cwe.mitre.org/data/definitions/470.html]
 
Spark version (2.2.0 and 2.3.1) has dependency with jackson-core 2.6.5 and jackson-core-2.6.7, but our application needs jackson-core 2.9.6. Because of this, application crashes. Please find the stacktrace below ::

{{_Exception in thread "main" [Loaded java.lang.Throwable$WrappedPrintStream from /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar]_}}{{_java.lang.NoSuchFieldError: NO_INTS_}}{{        __        }}

{{_at com.fasterxml.jackson.dataformat.cbor.CBORParser.<init>(CBORParser.java:285)_}}{{        __        }}

{{_at com.fasterxml.jackson.dataformat.cbor.CBORParserBootstrapper.constructParser(CBORParserBootstrapper.java:91)_}}{{        __        }}

{{_at com.fasterxml.jackson.dataformat.cbor.CBORFactory._createParser(CBORFactory.java:377)_}}

 

Spark needs to use jackson-core-2.9.6 version., which does not have the vulnerability

 

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org