[
https://issues.apache.org/jira/browse/SPARK-16751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397181#comment-15397181
]
Adam Roberts commented on SPARK-16751:
--------------------------------------
But they do download the jar which contains a CVE, so by either developing
Spark or downloading it they have access to the attacks available with the CVE
-> Adam works for company X, Adam's company distributes Spark to its customers
-> Its customers now have this vulnerable version of derby on their system
-> A disgruntled employee at such a company decides to use their Spark install
(derby 10.11.x being on the classpath) to cause damage outlined in the CVE info
-> Alternatively a user has access to a Spark service hosted on an external
system which again will have the vulnerable derby on the classpath and can
therefore cause damage outlined in the CVE
> Upgrade derby to 10.12.1.1 from 10.11.1.1
> -----------------------------------------
>
> Key: SPARK-16751
> URL: https://issues.apache.org/jira/browse/SPARK-16751
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Affects Versions: 1.3.1, 1.4.1, 1.5.2, 1.6.2, 2.0.0
> Environment: All platforms and major Spark releases
> Reporter: Adam Roberts
> Priority: Minor
>
> This JIRA is to upgrade the derby version from 10.11.1.1 to 10.12.1.1
> Sean and I figured that we only use derby for tests and so the initial pull
> request was to not include it in the jars folder for Spark. I now believe it
> is required based on comments for the pull request and so this is only a
> dependency upgrade.
> The upgrade is due to an already disclosed vulnerability (CVE-2015-1832) in
> derby 10.11.1.1. We used https://www.versioneye.com/search and will be
> checking for any other problems in a variety of libraries too: investigating
> if we can set up a Jenkins job to check our pom on a regular basis so we can
> stay ahead of the game for matters like this.
> This was raised on the mailing list at
> http://apache-spark-developers-list.1001551.n3.nabble.com/VOTE-Release-Apache-Spark-2-0-0-RC5-tp18367p18465.html
> by Stephen Hellberg and replied to by Sean Owen.
> I've checked the impact to previous Spark releases and this particular
> version of derby is the only relatively recent and without vulnerabilities
> version (I checked up to the 1.3 branch) so ideally we'd backport this for
> all impacted Spark releases.
> I've marked this as critical and ticked the important checkbox as it's going
> to impact every user, there isn't a security component (should we add one?)
> and hence the build tag.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
