[jira] [Commented] (SPARK-25455) Spark bundles jackson library version, which is vulnerable

Sun, 23 Sep 2018 15:35:59 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-25455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16625280#comment-16625280
 ] 

Hajime Osako commented on SPARK-25455:
--------------------------------------

Isn't this a dupe of SPARK-24601?

> Spark bundles jackson library version, which is vulnerable 
> -----------------------------------------------------------
>
>                 Key: SPARK-25455
>                 URL: https://issues.apache.org/jira/browse/SPARK-25455
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 2.2.0, 2.3.1
>            Reporter: Madhusudan N
>            Priority: Minor
>
> We have hosted one of our application in SPARK standalone mode and the 
> application has the below jackson library dependencies.
> Version = 2.9.6
>  * jackson-core
>  * jackson-databind
>  * jackson-dataformat-cbor
>  * jackson-dataformat-xml
>  * jackson-dataformat-yaml
>  
>  Due to a vulnerability with jackson 2.6.6 as indicated by the Veracode, it 
> has been upgraded to 2.9.6 version.
> Please find the link which depicts the vulnerability issue with jackson 2.6.6.
> [http://cwe.mitre.org/data/definitions/470.html]
>  
> Spark version (2.2.0 and 2.3.1) has dependency with jackson-core 2.6.5 and 
> jackson-core-2.6.7, but our application needs jackson-core 2.9.6. Because of 
> this, application crashes. Please find the stacktrace below ::
> {{_Exception in thread "main" [Loaded java.lang.Throwable$WrappedPrintStream 
> from 
> /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar]_}}{{_java.lang.NoSuchFieldError:
>  NO_INTS_}}{{        __        }}
> {{_at 
> com.fasterxml.jackson.dataformat.cbor.CBORParser.<init>(CBORParser.java:285)_}}{{
>         __        }}
> {{_at 
> com.fasterxml.jackson.dataformat.cbor.CBORParserBootstrapper.constructParser(CBORParserBootstrapper.java:91)_}}{{
>         __        }}
> {{_at 
> com.fasterxml.jackson.dataformat.cbor.CBORFactory._createParser(CBORFactory.java:377)_}}
>  
> Spark needs to use jackson-core-2.9.6 version., which does not have the 
> vulnerability
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to