You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@spark.apache.org by HARSH TAKKAR <ta...@gmail.com> on 2022/04/26 10:47:36 UTC

Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.

Hello,

Please let me know if there is a fix available for following
vulnerabilities in htrace jar used in spark jars folder.

LIBRARY: com.fasterxml.jackson.core:jackson-databind

VULNERABILITY IDs :





  CVE-2020-9548


  CVE-2020-9547


  CVE-2020-8840


  CVE-2020-36179


  CVE-2020-35491


  CVE-2020-35490


  CVE-2020-25649


  CVE-2020-24750


  CVE-2020-24616


  CVE-2020-10673


  CVE-2019-20330


  CVE-2019-17531


  CVE-2019-17267


  CVE-2019-16943


  CVE-2019-16942


  CVE-2019-16335


  CVE-2019-14893


  CVE-2019-14892


  CVE-2019-14540


  CVE-2019-14439


  CVE-2019-14379


  CVE-2019-12086


  CVE-2018-7489


  CVE-2018-5968


  CVE-2018-14719


  CVE-2018-14718


  CVE-2018-12022


  CVE-2018-11307


  CVE-2017-7525


  CVE-2017-17485




  CVE-2017-15095


Kind Regards

Harsh Takkar

Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.

Posted by Artemis User <ar...@dtechspace.com>.

What scanner did you use? Looks like all CVEs you listed for 
jackson-databind-xxx.jar are for older versions (2.9.10.x).  A quick 
search on NVD revealed that there is only one CVE (CVE-2020-36518) that 
affects your Spark versions.  This CVE (not on your scanned CVE list) is 
on jackson-databind jar versions before 2.13.0, and Spark 3.2.1 uses 
version 2.12.x.  The other two Spark versions use version 2.10.x.

Surprisingly, Spark 3.2.0 uses the jackson-databind library of version 
2.13.0 (don't know why 3.2.1 uses an older version) so Spark 3.2.0 
shouldn't have any known CVEs related to jackson-databind. You may want 
to either use Spark 3.2.0 or do your own Spark build with the latest 
version of jackson-databind lib (2.14.x).

On 5/2/22 1:46 AM, HARSH TAKKAR wrote:
> We scanned 3 versions of spark 3.0.0, 3.1.3, 3.2.1
>
>
>
> On Tue, 26 Apr, 2022, 18:46 Bjørn Jørgensen, 
> <bj...@gmail.com> wrote:
>
>     What version of spark is it that you have scanned?
>
>
>
>     tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR
>     <ta...@gmail.com>:
>
>         Hello,
>
>         Please let me know if there is a fix available for following
>         vulnerabilities in htrace jar used in spark jars folder.
>         LIBRARY: com.fasterxml.jackson.core:jackson-databind
>
>         VULNERABILITY IDs :
>
>         CVE-2020-9548
>         CVE-2020-9547
>         CVE-2020-8840
>         CVE-2020-36179
>         CVE-2020-35491
>         CVE-2020-35490
>         CVE-2020-25649
>         CVE-2020-24750
>         CVE-2020-24616
>         CVE-2020-10673
>         CVE-2019-20330
>         CVE-2019-17531
>         CVE-2019-17267
>         CVE-2019-16943
>         CVE-2019-16942
>         CVE-2019-16335
>         CVE-2019-14893
>         CVE-2019-14892
>         CVE-2019-14540
>         CVE-2019-14439
>         CVE-2019-14379
>         CVE-2019-12086
>         CVE-2018-7489
>         CVE-2018-5968
>         CVE-2018-14719
>         CVE-2018-14718
>         CVE-2018-12022
>         CVE-2018-11307
>         CVE-2017-7525
>         CVE-2017-17485
>         CVE-2017-15095
>
>
>         Kind Regards
>
>         Harsh Takkar
>
>
>
>     -- 
>     Bjørn Jørgensen
>     Vestre Aspehaug 4, 6010 Ålesund
>     Norge
>
>     +47 480 94 297
>

Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.

Posted by HARSH TAKKAR <ta...@gmail.com>.

We scanned 3 versions of spark 3.0.0, 3.1.3, 3.2.1



On Tue, 26 Apr, 2022, 18:46 Bjørn Jørgensen, <bj...@gmail.com>
wrote:

> What version of spark is it that you have scanned?
>
>
>
> tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR <ta...@gmail.com>:
>
>> Hello,
>>
>> Please let me know if there is a fix available for following
>> vulnerabilities in htrace jar used in spark jars folder.
>>
>> LIBRARY: com.fasterxml.jackson.core:jackson-databind
>>
>> VULNERABILITY IDs :
>>
>>
>>
>>
>>
>>   CVE-2020-9548
>>
>>
>>   CVE-2020-9547
>>
>>
>>   CVE-2020-8840
>>
>>
>>   CVE-2020-36179
>>
>>
>>   CVE-2020-35491
>>
>>
>>   CVE-2020-35490
>>
>>
>>   CVE-2020-25649
>>
>>
>>   CVE-2020-24750
>>
>>
>>   CVE-2020-24616
>>
>>
>>   CVE-2020-10673
>>
>>
>>   CVE-2019-20330
>>
>>
>>   CVE-2019-17531
>>
>>
>>   CVE-2019-17267
>>
>>
>>   CVE-2019-16943
>>
>>
>>   CVE-2019-16942
>>
>>
>>   CVE-2019-16335
>>
>>
>>   CVE-2019-14893
>>
>>
>>   CVE-2019-14892
>>
>>
>>   CVE-2019-14540
>>
>>
>>   CVE-2019-14439
>>
>>
>>   CVE-2019-14379
>>
>>
>>   CVE-2019-12086
>>
>>
>>   CVE-2018-7489
>>
>>
>>   CVE-2018-5968
>>
>>
>>   CVE-2018-14719
>>
>>
>>   CVE-2018-14718
>>
>>
>>   CVE-2018-12022
>>
>>
>>   CVE-2018-11307
>>
>>
>>   CVE-2017-7525
>>
>>
>>   CVE-2017-17485
>>
>>
>>
>>
>>   CVE-2017-15095
>>
>>
>> Kind Regards
>>
>> Harsh Takkar
>>
>>
>
> --
> Bjørn Jørgensen
> Vestre Aspehaug 4, 6010 Ålesund
> Norge
>
> +47 480 94 297
>

Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.

Posted by Bjørn Jørgensen <bj...@gmail.com>.

What version of spark is it that you have scanned?



tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR <ta...@gmail.com>:

> Hello,
>
> Please let me know if there is a fix available for following
> vulnerabilities in htrace jar used in spark jars folder.
>
> LIBRARY: com.fasterxml.jackson.core:jackson-databind
>
> VULNERABILITY IDs :
>
>
>
>
>
>   CVE-2020-9548
>
>
>   CVE-2020-9547
>
>
>   CVE-2020-8840
>
>
>   CVE-2020-36179
>
>
>   CVE-2020-35491
>
>
>   CVE-2020-35490
>
>
>   CVE-2020-25649
>
>
>   CVE-2020-24750
>
>
>   CVE-2020-24616
>
>
>   CVE-2020-10673
>
>
>   CVE-2019-20330
>
>
>   CVE-2019-17531
>
>
>   CVE-2019-17267
>
>
>   CVE-2019-16943
>
>
>   CVE-2019-16942
>
>
>   CVE-2019-16335
>
>
>   CVE-2019-14893
>
>
>   CVE-2019-14892
>
>
>   CVE-2019-14540
>
>
>   CVE-2019-14439
>
>
>   CVE-2019-14379
>
>
>   CVE-2019-12086
>
>
>   CVE-2018-7489
>
>
>   CVE-2018-5968
>
>
>   CVE-2018-14719
>
>
>   CVE-2018-14718
>
>
>   CVE-2018-12022
>
>
>   CVE-2018-11307
>
>
>   CVE-2017-7525
>
>
>   CVE-2017-17485
>
>
>
>
>   CVE-2017-15095
>
>
> Kind Regards
>
> Harsh Takkar
>
>

-- 
Bjørn Jørgensen
Vestre Aspehaug 4, 6010 Ålesund
Norge

+47 480 94 297

Re: Vulnerabilities in htrace-core4-4.1.0-incubating.jar jar used in spark.

Posted by Bjørn Jørgensen <bj...@gmail.com>.

Spark version 3.3 will have this fixed.
Spark github 35981 <https://github.com/apache/spark/pull/35981>



tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR <ta...@gmail.com>:

> Hello,
>
> Please let me know if there is a fix available for following
> vulnerabilities in htrace jar used in spark jars folder.
>
> LIBRARY: com.fasterxml.jackson.core:jackson-databind
>
> VULNERABILITY IDs :
>
>
>
>
>
>   CVE-2020-9548
>
>
>   CVE-2020-9547
>
>
>   CVE-2020-8840
>
>
>   CVE-2020-36179
>
>
>   CVE-2020-35491
>
>
>   CVE-2020-35490
>
>
>   CVE-2020-25649
>
>
>   CVE-2020-24750
>
>
>   CVE-2020-24616
>
>
>   CVE-2020-10673
>
>
>   CVE-2019-20330
>
>
>   CVE-2019-17531
>
>
>   CVE-2019-17267
>
>
>   CVE-2019-16943
>
>
>   CVE-2019-16942
>
>
>   CVE-2019-16335
>
>
>   CVE-2019-14893
>
>
>   CVE-2019-14892
>
>
>   CVE-2019-14540
>
>
>   CVE-2019-14439
>
>
>   CVE-2019-14379
>
>
>   CVE-2019-12086
>
>
>   CVE-2018-7489
>
>
>   CVE-2018-5968
>
>
>   CVE-2018-14719
>
>
>   CVE-2018-14718
>
>
>   CVE-2018-12022
>
>
>   CVE-2018-11307
>
>
>   CVE-2017-7525
>
>
>   CVE-2017-17485
>
>
>
>
>   CVE-2017-15095
>
>
> Kind Regards
>
> Harsh Takkar
>
>

-- 
Bjørn Jørgensen
Vestre Aspehaug 4, 6010 Ålesund
Norge

+47 480 94 297