You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2022/10/25 22:22:00 UTC
[jira] [Closed] (SPARK-40908) need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version
[ https://issues.apache.org/jira/browse/SPARK-40908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun closed SPARK-40908.
---------------------------------
> need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version
> ---------------------------------------------------------------------
>
> Key: SPARK-40908
> URL: https://issues.apache.org/jira/browse/SPARK-40908
> Project: Spark
> Issue Type: Question
> Components: Spark Core
> Affects Versions: 3.0.0
> Reporter: Rajesh
> Priority: Major
> Labels: SECURITY, security
>
> Hi Spark team,
>
> [~dongjoon] [~bjornjorgensen]
>
>
> We are using spark 3.0.0 on AWS EMR service to run our spark jobs.
> spark-core_2.12:3.0.0 has transitive dependency on commons-text 1.6 and this is flagged as critical severity CVE-2022-42889.
> As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is released.
> We are dependent on AWS EMR service and changing EMR version and spark version is big task for us considering all downstream dependent applications
> We know spark 3.0.0 is EOL for you but would really appreciate if could provide guidance on it.
> We have few queries and need inputs from spark dev team to handle this issue on priority at our end
>
>
> * Does spark-core 3.0.0 use StringSubstitutor API and {*}do we need to worry about this{*}?
> * which lib or code within spark core 3.0.0 triggers StringSubstitutor method ?
> * I searched for spark source code for usage of StringSubstitutor and found one reference here [https://github.com/apache/spark/blob/master/core/src/main/scala/org/apache/spark/ErrorClassesJSONReader.scala] in master branch but this class is not available in spark 3.0.0 tags. As per link - [https://blogs.apache.org/security/entry/cve-2022-42889] , If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: you are only affected when this software uses the {{StringSubstitutor}} API without properly sanitizing any untrusted input.
> * *Please confirm if spark 3.0.0 does not use {{StringSubstitutor}} API from commons-text but just have dependency marked in POM* [https://github.com/apache/spark/blob/3fdfce3120f307147244e5eaf46d61419a723d50/pom.xml#L506] for other API use from commons-text?
> * in case , can we include the apache commons text 1.10.0 as explicit dependency on our applications POMs and add common text 1.6 in exclusions for spark-core , will it work ?
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org