You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Hyukjin Kwon (Jira)" <ji...@apache.org> on 2022/02/19 03:32:00 UTC
[jira] [Commented] (SPARK-38252) Upgrade Dependencies in spark-sql Java library
[ https://issues.apache.org/jira/browse/SPARK-38252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494884#comment-17494884 ]
Hyukjin Kwon commented on SPARK-38252:
--------------------------------------
[~DhavalShewale] mind checking the latest master branch? log4j is already fixed as an example at SPARK-37814. Jackson is fixed in SPARK-37763. We don't use protobuf dirrectly, that's probably from Hadoop.
Let's file a separate JIRA for each with assessing how it affects Spark and checking if this is already fixed in the dev branch.
> Upgrade Dependencies in spark-sql Java library
> ----------------------------------------------
>
> Key: SPARK-38252
> URL: https://issues.apache.org/jira/browse/SPARK-38252
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Java API
> Affects Versions: 3.2.1
> Reporter: Dhaval Shewale
> Priority: Critical
>
> There are numerous vulnerabilities in *spark-sql* Java library.
> Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.
>
> +*Maven Dependency*+
> {quote}{{<dependency>}}
> {{ <groupId>org.apache.spark</groupId>}}
> {{ <artifactId>spark-sql_2.13</artifactId>}}
> {{ <version>3.2.1</version>}}
> {{</dependency>}}
> {quote}
>
> +*Vulnerabilities*+
> {quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
> {{---------------------------------------------------------------}}
> {{| SEVERITY | LIBRARY | ID |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35515 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35516 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35517 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-36090 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | gson-2.8.6.jar | WS-2021-0419 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | netty-all-4.1.68.Final.jar | WS-2020-0408 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | jackson-core-2.12.3.jar | WS-2021-0616 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | jackson-databind-2.12.3.jar | WS-2021-0616 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | netty-all-4.1.68.Final.jar | CVE-2021-43797 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | protobuf-java-2.5.0.jar | CVE-2021-22569 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| LOW | log4j-1.2.17.jar | CVE-2020-9488 |}}
> {{---------------------------------------------------------------}}
> {quote}
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org