[
https://issues.apache.org/jira/browse/SPARK-25762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16693075#comment-16693075
]
James Grinter commented on SPARK-25762:
---------------------------------------
We also just bumped into CVE-2018-10237, as it's now started triggering the
OWASP dependency checker in our Spark application builds because of the
included Guava dependency.
But I'm going to note that the Guava code itself does not use
`AtomicDoubleArray` (one of the problematic classes) internally, and
instantiates a `CompoundOrdering` object only via its `Ordering` collection
class and `compound` method.
Spark does not use `AtomicDoubleArray` but it *does* use `Ordering`. It doesn't
invoke the `compound` method that would create a `CompoundOrdering` object.
> Upgrade guava version in spark dependency lists due to CVE issue
> -----------------------------------------------------------------
>
> Key: SPARK-25762
> URL: https://issues.apache.org/jira/browse/SPARK-25762
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Spark Core
> Affects Versions: 2.2.1, 2.2.2, 2.3.1, 2.3.2
> Reporter: Debojyoti
> Priority: Major
>
> In spark2.x dependency list we have guava-14.0.1.jar. However there are lot
> vulnerabilities exists in this version.eg. CVE-2018-10237
> [https://www.cvedetails.com/cve/CVE-2018-10237/]
> Do we have any solution to resolve it or is there any plan to upgrade guava
> version any of the spark's future release?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
