You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2022/10/25 22:22:00 UTC

[jira] [Closed] (SPARK-40908) need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version

     [ https://issues.apache.org/jira/browse/SPARK-40908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dongjoon Hyun closed SPARK-40908.
---------------------------------

> need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version
> ---------------------------------------------------------------------
>
>                 Key: SPARK-40908
>                 URL: https://issues.apache.org/jira/browse/SPARK-40908
>             Project: Spark
>          Issue Type: Question
>          Components: Spark Core
>    Affects Versions: 3.0.0
>            Reporter: Rajesh
>            Priority: Major
>              Labels: SECURITY, security
>
> Hi Spark team,
>  
> [~dongjoon]  [~bjornjorgensen] 
>  
>  
> We are using spark 3.0.0 on AWS EMR service to run our spark jobs. 
> spark-core_2.12:3.0.0  has transitive dependency on commons-text 1.6 and this is flagged as critical severity CVE-2022-42889.
> As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is released.
> We are dependent on AWS EMR service and changing EMR version and spark version is big task for us considering all downstream dependent applications
> We know spark 3.0.0 is EOL for you but would really appreciate if could provide guidance on it.
> We have few queries and need inputs from spark dev team to handle this issue on priority at our end 
>  
>  
>  * Does spark-core 3.0.0 use StringSubstitutor API and {*}do we need to worry about this{*}?
>  * which lib or code within spark core 3.0.0 triggers StringSubstitutor  method ?
>  * I searched for spark source code for usage of StringSubstitutor  and found one reference here [https://github.com/apache/spark/blob/master/core/src/main/scala/org/apache/spark/ErrorClassesJSONReader.scala] in master branch but this class  is not available in spark 3.0.0 tags. As per link - [https://blogs.apache.org/security/entry/cve-2022-42889] , If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: you are only affected when this software uses the {{StringSubstitutor}} API without properly sanitizing any untrusted input.
>  *  *Please confirm if spark 3.0.0 does not use {{StringSubstitutor}} API from commons-text but just have dependency marked in POM* [https://github.com/apache/spark/blob/3fdfce3120f307147244e5eaf46d61419a723d50/pom.xml#L506]  for other API use from commons-text?
>  * in case , can we include the apache commons text 1.10.0 as explicit dependency on our applications POMs and add common text 1.6 in exclusions for spark-core , will it work ?
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org