You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@spark.apache.org by HARSH TAKKAR <ta...@gmail.com> on 2022/04/26 10:47:36 UTC
Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.
Hello,
Please let me know if there is a fix available for following
vulnerabilities in htrace jar used in spark jars folder.
LIBRARY: com.fasterxml.jackson.core:jackson-databind
VULNERABILITY IDs :
CVE-2020-9548
CVE-2020-9547
CVE-2020-8840
CVE-2020-36179
CVE-2020-35491
CVE-2020-35490
CVE-2020-25649
CVE-2020-24750
CVE-2020-24616
CVE-2020-10673
CVE-2019-20330
CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14893
CVE-2019-14892
CVE-2019-14540
CVE-2019-14439
CVE-2019-14379
CVE-2019-12086
CVE-2018-7489
CVE-2018-5968
CVE-2018-14719
CVE-2018-14718
CVE-2018-12022
CVE-2018-11307
CVE-2017-7525
CVE-2017-17485
CVE-2017-15095
Kind Regards
Harsh Takkar
Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.
Posted by Artemis User <ar...@dtechspace.com>.
What scanner did you use? Looks like all CVEs you listed for
jackson-databind-xxx.jar are for older versions (2.9.10.x). A quick
search on NVD revealed that there is only one CVE (CVE-2020-36518) that
affects your Spark versions. This CVE (not on your scanned CVE list) is
on jackson-databind jar versions before 2.13.0, and Spark 3.2.1 uses
version 2.12.x. The other two Spark versions use version 2.10.x.
Surprisingly, Spark 3.2.0 uses the jackson-databind library of version
2.13.0 (don't know why 3.2.1 uses an older version) so Spark 3.2.0
shouldn't have any known CVEs related to jackson-databind. You may want
to either use Spark 3.2.0 or do your own Spark build with the latest
version of jackson-databind lib (2.14.x).
On 5/2/22 1:46 AM, HARSH TAKKAR wrote:
> We scanned 3 versions of spark 3.0.0, 3.1.3, 3.2.1
>
>
>
> On Tue, 26 Apr, 2022, 18:46 Bjørn Jørgensen,
> <bj...@gmail.com> wrote:
>
> What version of spark is it that you have scanned?
>
>
>
> tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR
> <ta...@gmail.com>:
>
> Hello,
>
> Please let me know if there is a fix available for following
> vulnerabilities in htrace jar used in spark jars folder.
> LIBRARY: com.fasterxml.jackson.core:jackson-databind
>
> VULNERABILITY IDs :
>
> CVE-2020-9548
> CVE-2020-9547
> CVE-2020-8840
> CVE-2020-36179
> CVE-2020-35491
> CVE-2020-35490
> CVE-2020-25649
> CVE-2020-24750
> CVE-2020-24616
> CVE-2020-10673
> CVE-2019-20330
> CVE-2019-17531
> CVE-2019-17267
> CVE-2019-16943
> CVE-2019-16942
> CVE-2019-16335
> CVE-2019-14893
> CVE-2019-14892
> CVE-2019-14540
> CVE-2019-14439
> CVE-2019-14379
> CVE-2019-12086
> CVE-2018-7489
> CVE-2018-5968
> CVE-2018-14719
> CVE-2018-14718
> CVE-2018-12022
> CVE-2018-11307
> CVE-2017-7525
> CVE-2017-17485
> CVE-2017-15095
>
>
> Kind Regards
>
> Harsh Takkar
>
>
>
> --
> Bjørn Jørgensen
> Vestre Aspehaug 4, 6010 Ålesund
> Norge
>
> +47 480 94 297
>
Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.
Posted by HARSH TAKKAR <ta...@gmail.com>.
We scanned 3 versions of spark 3.0.0, 3.1.3, 3.2.1
On Tue, 26 Apr, 2022, 18:46 Bjørn Jørgensen, <bj...@gmail.com>
wrote:
> What version of spark is it that you have scanned?
>
>
>
> tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR <ta...@gmail.com>:
>
>> Hello,
>>
>> Please let me know if there is a fix available for following
>> vulnerabilities in htrace jar used in spark jars folder.
>>
>> LIBRARY: com.fasterxml.jackson.core:jackson-databind
>>
>> VULNERABILITY IDs :
>>
>>
>>
>>
>>
>> CVE-2020-9548
>>
>>
>> CVE-2020-9547
>>
>>
>> CVE-2020-8840
>>
>>
>> CVE-2020-36179
>>
>>
>> CVE-2020-35491
>>
>>
>> CVE-2020-35490
>>
>>
>> CVE-2020-25649
>>
>>
>> CVE-2020-24750
>>
>>
>> CVE-2020-24616
>>
>>
>> CVE-2020-10673
>>
>>
>> CVE-2019-20330
>>
>>
>> CVE-2019-17531
>>
>>
>> CVE-2019-17267
>>
>>
>> CVE-2019-16943
>>
>>
>> CVE-2019-16942
>>
>>
>> CVE-2019-16335
>>
>>
>> CVE-2019-14893
>>
>>
>> CVE-2019-14892
>>
>>
>> CVE-2019-14540
>>
>>
>> CVE-2019-14439
>>
>>
>> CVE-2019-14379
>>
>>
>> CVE-2019-12086
>>
>>
>> CVE-2018-7489
>>
>>
>> CVE-2018-5968
>>
>>
>> CVE-2018-14719
>>
>>
>> CVE-2018-14718
>>
>>
>> CVE-2018-12022
>>
>>
>> CVE-2018-11307
>>
>>
>> CVE-2017-7525
>>
>>
>> CVE-2017-17485
>>
>>
>>
>>
>> CVE-2017-15095
>>
>>
>> Kind Regards
>>
>> Harsh Takkar
>>
>>
>
> --
> Bjørn Jørgensen
> Vestre Aspehaug 4, 6010 Ålesund
> Norge
>
> +47 480 94 297
>
Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.
Posted by Bjørn Jørgensen <bj...@gmail.com>.
What version of spark is it that you have scanned?
tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR <ta...@gmail.com>:
> Hello,
>
> Please let me know if there is a fix available for following
> vulnerabilities in htrace jar used in spark jars folder.
>
> LIBRARY: com.fasterxml.jackson.core:jackson-databind
>
> VULNERABILITY IDs :
>
>
>
>
>
> CVE-2020-9548
>
>
> CVE-2020-9547
>
>
> CVE-2020-8840
>
>
> CVE-2020-36179
>
>
> CVE-2020-35491
>
>
> CVE-2020-35490
>
>
> CVE-2020-25649
>
>
> CVE-2020-24750
>
>
> CVE-2020-24616
>
>
> CVE-2020-10673
>
>
> CVE-2019-20330
>
>
> CVE-2019-17531
>
>
> CVE-2019-17267
>
>
> CVE-2019-16943
>
>
> CVE-2019-16942
>
>
> CVE-2019-16335
>
>
> CVE-2019-14893
>
>
> CVE-2019-14892
>
>
> CVE-2019-14540
>
>
> CVE-2019-14439
>
>
> CVE-2019-14379
>
>
> CVE-2019-12086
>
>
> CVE-2018-7489
>
>
> CVE-2018-5968
>
>
> CVE-2018-14719
>
>
> CVE-2018-14718
>
>
> CVE-2018-12022
>
>
> CVE-2018-11307
>
>
> CVE-2017-7525
>
>
> CVE-2017-17485
>
>
>
>
> CVE-2017-15095
>
>
> Kind Regards
>
> Harsh Takkar
>
>
--
Bjørn Jørgensen
Vestre Aspehaug 4, 6010 Ålesund
Norge
+47 480 94 297
Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.
Posted by Bjørn Jørgensen <bj...@gmail.com>.
Spark version 3.3 will have this fixed.
Spark github 35981 <https://github.com/apache/spark/pull/35981>
tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR <ta...@gmail.com>:
> Hello,
>
> Please let me know if there is a fix available for following
> vulnerabilities in htrace jar used in spark jars folder.
>
> LIBRARY: com.fasterxml.jackson.core:jackson-databind
>
> VULNERABILITY IDs :
>
>
>
>
>
> CVE-2020-9548
>
>
> CVE-2020-9547
>
>
> CVE-2020-8840
>
>
> CVE-2020-36179
>
>
> CVE-2020-35491
>
>
> CVE-2020-35490
>
>
> CVE-2020-25649
>
>
> CVE-2020-24750
>
>
> CVE-2020-24616
>
>
> CVE-2020-10673
>
>
> CVE-2019-20330
>
>
> CVE-2019-17531
>
>
> CVE-2019-17267
>
>
> CVE-2019-16943
>
>
> CVE-2019-16942
>
>
> CVE-2019-16335
>
>
> CVE-2019-14893
>
>
> CVE-2019-14892
>
>
> CVE-2019-14540
>
>
> CVE-2019-14439
>
>
> CVE-2019-14379
>
>
> CVE-2019-12086
>
>
> CVE-2018-7489
>
>
> CVE-2018-5968
>
>
> CVE-2018-14719
>
>
> CVE-2018-14718
>
>
> CVE-2018-12022
>
>
> CVE-2018-11307
>
>
> CVE-2017-7525
>
>
> CVE-2017-17485
>
>
>
>
> CVE-2017-15095
>
>
> Kind Regards
>
> Harsh Takkar
>
>
--
Bjørn Jørgensen
Vestre Aspehaug 4, 6010 Ålesund
Norge
+47 480 94 297