Thanks Owen for prompt response sorry, forgot to mention, it’s latest spark version 3.3.1 Both below spark-py image or pypi are good to use for us, but both have same Jackson-mapper-asl dependencies.
https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore https://pypi.org/project/pyspark/ Regards Harper From: Sean Owen <sro...@gmail.com> Sent: Wednesday, December 14, 2022 9:32 PM To: Wang, Harper (FRPPE) <haibo.w...@morganstanley.com> Cc: user@spark.apache.org Subject: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl What Spark version are you referring to? If it's an unsupported version, no, no plans to update it. What image are you referring to? On Wed, Dec 14, 2022 at 7:14 AM haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com> <haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com>> wrote: Hi All Hope you are doing well. Writing this email for an vulnerable issue: CVE-2018-14721 apache/spark-py: gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 <= Version <= 1.9.13 We are trying to bring in above image into our firm, but due to the vulnerable issue, pyspark is not allowed, understand the version was stopped maintaining in 2013, wondering any plan to replace the Jackson-mapper-asl or any workaround? thanks Regards Harper Wang Morgan Stanley | Corporate & Funding Technology Kerry Parkside | 1155 Fang Dian Road, Pudong New Area 201204 Shanghai haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com> ________________________________ NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure. ________________________________ NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
