You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "eoin (Jira)" <ji...@apache.org> on 2021/02/23 18:14:00 UTC

[jira] [Created] (SPARK-34511) Current Security vulnerabilities in spark libraries

eoin created SPARK-34511:
----------------------------

             Summary: Current Security vulnerabilities in spark libraries
                 Key: SPARK-34511
                 URL: https://issues.apache.org/jira/browse/SPARK-34511
             Project: Spark
          Issue Type: Dependency upgrade
          Components: Spark Core
    Affects Versions: 3.0.1
            Reporter: eoin


The following libraries have the following vulnerabilities that will fail Nexus security scans. They are deemed as threats of level 7 and higher on the Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies as the are fixed in subsequent releases.
 
com.fasterxml.woodstox : woodstox-core : 5.0.3 * [https://github.com/FasterXML/woodstox/issues/50]
 * [https://github.com/FasterXML/woodstox/issues/51]
 * [https://github.com/FasterXML/woodstox/issues/61]

com.nimbusds : nimbus-jose-jwt : 4.41.1 * [https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt]
 * [https://connect2id.com/blog/nimbus-jose-jwt-7-9]

Log4j : log4j : 1.2.17
SocketServer class that is vulnerable to deserialization of untrusted data: * https://issues.apache.org/jira/browse/LOG4J2-1863
 * [https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E]
 * [https://bugzilla.redhat.com/show_bug.cgi?id=1785616]

Dynamic-link Library (DLL) Preloading:
 * [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323]

 
apache-xerces : xercesImpl : 2.9.1 * hash table collisions -> https://issues.apache.org/jira/browse/XERCESJ-1685
 * [https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3COF3B40F5F7.E6552A8B-ON85257D73.00699ED7-85257D73.006A999B@ca.ibm.com%3E]
 * [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]

 
com.fasterxml.jackson.core : jackson-databind : 2.10.0 * [https://github.com/FasterXML/jackson-databind/issues/2589]

 
commons-beanutils : commons-beanutils : 1.9.3 * [http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader]
 * https://issues.apache.org/jira/browse/BEANUTILS-463

 
commons-io : commons-io : 2.5 * [https://github.com/apache/commons-io/pull/52]
 * https://issues.apache.org/jira/browse/IO-556
 * https://issues.apache.org/jira/browse/IO-559

 
io.netty : netty-all : 4.1.47.Final * [https://github.com/netty/netty/issues/10351]
 * [https://github.com/netty/netty/pull/10560]

 
org.apache.commons : commons-compress : 1.18 * [https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities]

 
org.apache.hadoop : hadoop-hdfs : 2.7.4 * [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]
 * [https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]
 * [https://hadoop.apache.org/cve_list.html]
 * [https://www.openwall.com/lists/oss-security/2019/01/24/3]
 
org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 * [https://bugzilla.redhat.com/show_bug.cgi?id=1516399]
 * [https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]

 
org.codehaus.jackson : jackson-mapper-asl : 1.9.13 * [https://github.com/FasterXML/jackson-databind/issues/1599]
 * [https://blog.sonatype.com/jackson-databind-remote-code-execution]
 * [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist]
 * [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
 * [https://access.redhat.com/security/cve/cve-2019-10172]
 * [https://bugzilla.redhat.com/show_bug.cgi?id=1715075]
 * [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]

 
org.eclipse.jetty : jetty-http : 9.3.24.v20180605: * [https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096]

 
org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 * [https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921]
 * [https://github.com/eclipse/jetty.project/issues/5451]
 * [https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6]

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org