[
https://issues.apache.org/jira/browse/SPARK-36134?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hyukjin Kwon resolved SPARK-36134.
----------------------------------
Resolution: Invalid
> jackson-databind RCE vulnerability
> ----------------------------------
>
> Key: SPARK-36134
> URL: https://issues.apache.org/jira/browse/SPARK-36134
> Project: Spark
> Issue Type: Task
> Components: Java API
> Affects Versions: 3.1.2, 3.1.3
> Reporter: Sumit
> Priority: Major
> Attachments: Screenshot 2021-07-15 at 1.00.55 PM.png
>
>
> Need to upgrade jackson-databind version to *2.9.3.1*
> At the beginning of 2018, jackson-databind was reported to contain another
> remote code execution (RCE) vulnerability (CVE-2017-17485) that affects
> versions 2.9.3 and earlier, 2.7.9.1 and earlier, and 2.8.10 and earlier. This
> vulnerability is caused by jackson-dababind’s incomplete blacklist. An
> application that uses jackson-databind will become vulnerable when the
> enableDefaultTyping method is called via the ObjectMapper object within the
> application. An attacker can thus compromise the application by sending
> maliciously crafted JSON input to gain direct control over a server.
> Currently, a proof of concept (POC) exploit for this vulnerability has been
> publicly available. All users who are affected by this vulnerability should
> upgrade to the latest versions as soon as possible to fix this issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
