You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Madhusudan N (JIRA)" <ji...@apache.org> on 2018/10/04 19:58:00 UTC

[jira] [Updated] (SPARK-25455) Spark bundles jackson library version, which is vulnerable

     [ https://issues.apache.org/jira/browse/SPARK-25455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Madhusudan N updated SPARK-25455:
---------------------------------
    Priority: Major  (was: Minor)

> Spark bundles jackson library version, which is vulnerable 
> -----------------------------------------------------------
>
>                 Key: SPARK-25455
>                 URL: https://issues.apache.org/jira/browse/SPARK-25455
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 2.2.0, 2.3.1
>            Reporter: Madhusudan N
>            Priority: Major
>
> We have hosted one of our application in SPARK standalone mode and the application has the below jackson library dependencies.
> Version = 2.9.6
>  * jackson-core
>  * jackson-databind
>  * jackson-dataformat-cbor
>  * jackson-dataformat-xml
>  * jackson-dataformat-yaml
>  
>  Due to a vulnerability with jackson 2.6.6 as indicated by the Veracode, it has been upgraded to 2.9.6 version.
> Please find the link which depicts the vulnerability issue with jackson 2.6.6.
> [http://cwe.mitre.org/data/definitions/470.html]
>  
> Spark version (2.2.0 and 2.3.1) has dependency with jackson-core 2.6.5 and jackson-core-2.6.7, but our application needs jackson-core 2.9.6. Because of this, application crashes. Please find the stacktrace below ::
> {{_Exception in thread "main" [Loaded java.lang.Throwable$WrappedPrintStream from /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar]_}}{{_java.lang.NoSuchFieldError: NO_INTS_}}{{        __        }}
> {{_at com.fasterxml.jackson.dataformat.cbor.CBORParser.<init>(CBORParser.java:285)_}}{{        __        }}
> {{_at com.fasterxml.jackson.dataformat.cbor.CBORParserBootstrapper.constructParser(CBORParserBootstrapper.java:91)_}}{{        __        }}
> {{_at com.fasterxml.jackson.dataformat.cbor.CBORFactory._createParser(CBORFactory.java:377)_}}
>  
> Spark needs to use jackson-core-2.9.6 version., which does not have the vulnerability
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org