[jira] [Commented] (SPARK-28938) Kubernetes using unsupported docker image

Rodney Aaron Stainback (Jira) Mon, 07 Oct 2019 05:08:18 -0700


    [ 
https://issues.apache.org/jira/browse/SPARK-28938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16945826#comment-16945826
 ]


Rodney Aaron Stainback commented on SPARK-28938:
------------------------------------------------

List of CVEs

mage ID CVE Package Version Severity Status CVSS
----- -- --- ------- ------- -------- ------ ----
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2016-3720 
com.fasterxml.jackson.core_jackson-core 2.6.7 critical 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-19361 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.8 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-19360 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.8 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-7489 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.5, 
2.8.11.1, 2.7.9.3 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2017-15718 
org.apache.hadoop_hadoop-hdfs 2.7.3 critical 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-14721 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.7 10
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-14718 
com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.7 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2017-15095 
com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.1, 
2.8.10 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-7489 
com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.5, 
2.8.11.1, 2.7.9.3 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-14720 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.7 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2016-3720 
com.fasterxml.jackson.core_jackson-core 2.4.0 critical 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-14719 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.7 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-14718 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.7 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2017-15095 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.1, 
2.8.10 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-19362 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 critical fixed in 2.9.8 9.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2016-7051 
com.fasterxml.jackson.core_jackson-core 2.6.7 high fixed in 2.8.4, 2.7.8 8.6
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-8012 
org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.4.10 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-5968 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 high fixed in 2.7.9.5 8.1
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2016-7051 
com.fasterxml.jackson.core_jackson-core 2.4.0 high fixed in 2.8.4, 2.7.8 8.6
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2016-5017 
org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.5.3, 3.4.9 8.1
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-16335 
com.fasterxml.jackson.core_jackson-databind 2.4.0 high fixed in 2.9.10 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-14540 
com.fasterxml.jackson.core_jackson-databind 2.4.0 high fixed in 2.9.10 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2017-5637 
org.apache.zookeeper_zookeeper 3.4.6 high 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2017-9735 
org.eclipse.jetty_jetty-io 9.3.24.v20180605 high 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2016-6811 
org.apache.hadoop_hadoop-hdfs 2.7.3 high fixed in 2.7.4 8.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-5968 
com.fasterxml.jackson.core_jackson-databind 2.4.0 high fixed in 2.7.9.5 8.1
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-15847 gcc 8.3.0-r0 
high 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-16335 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 high fixed in 2.9.10 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-14540 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 high fixed in 2.9.10 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2017-3166 
org.apache.hadoop_hadoop-hdfs 2.7.3 high 7.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-1296 
org.apache.hadoop_hadoop-hdfs 2.7.3 high 7.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-8029 
org.apache.hadoop_hadoop-hdfs 2.7.3 high 8.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-10086 
commons-beanutils_commons-beanutils 1.9.3 high 7.3
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-10237 
com.google.guava_guava 11.0.2 medium fixed in 24.1.1 5.9
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-1000873 
com.fasterxml.jackson.core_jackson-databind 2.6.7.1 medium fixed in 2.9.8 6.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-1000873 
com.fasterxml.jackson.core_jackson-databind 2.4.0 medium fixed in 2.9.8 6.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-10241 
org.eclipse.jetty_jetty-io 9.3.24.v20180605 medium 6.1
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-15133 giflib 
5.1.4-r2 medium fixed in 5.1.9-r0 6.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-0201 
org.apache.zookeeper_zookeeper 3.4.6 medium 5.9
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-16168 sqlite 
3.28.0-r0 medium 5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-1563 openssl 
1.1.1b-r1 medium 4.3
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2745 java 
1.8.0_212 medium 5.1
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2762 java 
1.8.0_212 medium 5.3
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2017-15713 
org.apache.hadoop_hadoop-hdfs 2.7.3 medium fixed in 2.8.3, 2.7.5 6.5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-1549 openssl 
1.1.1b-r1 medium 5
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2018-10237 
com.google.guava_guava 14.0.1 medium fixed in 24.1.1 5.9
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2816 java 
1.8.0_212 medium 4.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2816 java 
1.8.0_212 medium 4.8
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2769 java 
1.8.0_212 medium 5.3
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2745 java 
1.8.0_212 medium 5.1
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2762 java 
1.8.0_212 medium 5.3
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2769 java 
1.8.0_212 medium 5.3
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2786 java 
1.8.0_212 low 3.4
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2842 java 
1.8.0_212 low 3.7
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2842 java 
1.8.0_212 low 3.7
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2786 java 
1.8.0_212 low 3.4
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-1552 openssl 
1.1.1b-r1 low 3.3
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-1547 openssl 
1.1.1b-r1 low 1.9
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2766 java 
1.8.0_212 low 3.1
gcr.io/spark-operator/spark:v2.4.4 4822c688a8493e9c CVE-2019-2766 java 
1.8.0_212 low 3.1

> Kubernetes using unsupported docker image
> -----------------------------------------
>
>                 Key: SPARK-28938
>                 URL: https://issues.apache.org/jira/browse/SPARK-28938
>             Project: Spark
>          Issue Type: Improvement
>          Components: Kubernetes
>    Affects Versions: 3.0.0
>         Environment: Kubernetes
>            Reporter: Rodney Aaron Stainback
>            Priority: Minor
>
> The current docker image used by Kubernetes
> {code:java}
> openjdk:8-alpine{code}
> is not supported 
> [https://github.com/docker-library/docs/blob/master/openjdk/README.md#supported-tags-and-respective-dockerfile-links]
> It was removed with this commit
> [https://github.com/docker-library/openjdk/commit/3eb0351b208d739fac35345c85e3c6237c2114ec#diff-f95ffa3d1377774732c33f7b8368e099]
> Quote from commit "4. no more OpenJDK 8 Alpine images (Alpine/musl is not 
> officially supported by the OpenJDK project, so this reflects that -- see 
> "Project Portola" for the Alpine porting efforts which I understand are still 
> in need of help)"
>  
> Please move to a supported image for Kubernetes



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

[jira] [Commented] (SPARK-28938) Kubernetes using unsupported docker image

Reply via email to