You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Rajesh (Jira)" <ji...@apache.org> on 2022/10/25 08:27:00 UTC

[jira] [Created] (SPARK-40908) need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version

Rajesh created SPARK-40908:
------------------------------

             Summary: need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version
                 Key: SPARK-40908
                 URL: https://issues.apache.org/jira/browse/SPARK-40908
             Project: Spark
          Issue Type: Question
          Components: Spark Core
    Affects Versions: 3.0.0
            Reporter: Rajesh


Hi Spark team,

 

We are using spark 3.0.0 on AWS EMR service to run our spark jobs. 

spark-core_2.12:3.0.0  has transitive dependency on commons-text 1.6 and this is flagged as critical severity CVE-2022-42889.

As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is released.

We are dependent on AWS EMR service and changing EMR version and spark version is big task for us considering all downstream dependent applications

We know spark 3.0.0 is EOL for you but would really appreciate if could provide guidance on it.

We have few queries and need inputs from spark dev team to handle this issue on priority at our end 

 

 
 * Does spark-core use StringSubstitutor and {*}do we need to worry about this{*}?
 * which lib or code within spark core triggers StringSubstitutor  method ?
 * can we include the apache commons text 1.10.0 as explicit dependency on our applications POMs and add common text 1.6 in exclusions for spark-core , will it work ?

 

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org