Please read the CVE you mention. It is not a CVE about the library you are referencing. https://nvd.nist.gov/vuln/detail/CVE-2018-14721
On Thu, Dec 15, 2022 at 7:52 PM haibo.w...@morganstanley.com < haibo.w...@morganstanley.com> wrote: > Hi Owen > > > > As confirmed with our firm appsec team, given the library is still being > used in spark3.3.1. Also I can see the dependency as below: > > https://github.com/apache/spark/blob/v3.3.1/pom.xml#L1784 > > > > Something misunderstanding? appreciate if you could clarify more, thanks. > > > > Regards > > Harper > > > > *From:* Sean Owen <sro...@gmail.com> > *Sent:* Wednesday, December 14, 2022 10:27 PM > *To:* Wang, Harper (FRPPE) <haibo.w...@morganstanley.com> > *Cc:* user@spark.apache.org > *Subject:* Re: [EXTERNAL] Re: [Spark vulnerability] replace > jackson-mapper-asl > > > > The CVE you mention seems to affect jackson-databind, not > jackson-mapper-asl. 3.3.1 already uses databind 2.13.x which is not > affected. > > > > On Wed, Dec 14, 2022 at 8:20 AM haibo.w...@morganstanley.com < > haibo.w...@morganstanley.com> wrote: > > Thanks Owen for prompt response > > sorry, forgot to mention, it’s latest spark version 3.3.1 > > Both below spark-py image or pypi are good to use for us, but both have > same Jackson-mapper-asl dependencies. > > > > > https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore > > https://pypi.org/project/pyspark/ > > > > Regards > > Harper > > > > > > *From:* Sean Owen <sro...@gmail.com> > *Sent:* Wednesday, December 14, 2022 9:32 PM > *To:* Wang, Harper (FRPPE) <haibo.w...@morganstanley.com> > *Cc:* user@spark.apache.org > *Subject:* [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl > > > > What Spark version are you referring to? If it's an unsupported version, > no, no plans to update it. > > What image are you referring to? > > > > On Wed, Dec 14, 2022 at 7:14 AM haibo.w...@morganstanley.com < > haibo.w...@morganstanley.com> wrote: > > Hi All > > > > Hope you are doing well. > > > > Writing this email for an vulnerable issue: CVE-2018-14721 > > apache/spark-py: > gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 > <= Version <= 1.9.13 > > > > We are trying to bring in above image into our firm, but due to the > vulnerable issue, pyspark is not allowed, understand the version was > stopped maintaining in 2013, wondering any plan to replace the > Jackson-mapper-asl or any workaround? thanks > > > > Regards > > Harper Wang > > *Morgan Stanley | Corporate & Funding Technology *Kerry Parkside | > 1155 Fang Dian Road, Pudong New Area > 201204 Shanghai > haibo.w...@morganstanley.com > > > > ------------------------------ > > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > > > ------------------------------ > > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > > > ------------------------------ > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > >
