[
https://issues.apache.org/jira/browse/SPARK-30466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17067300#comment-17067300
]
Nicholas Marion commented on SPARK-30466:
-----------------------------------------
It is worth noting that the following dependencies rely on codehaus jackson:
Apache Hadoop, fixed in 3.x versions with
[https://github.com/apache/hadoop/commit/67d9f2808efb34b9a7b0b824cb4033b95ad33474#diff-e2c362dd211f462f1f629e34af05f497]
Apache parquet-mq, fixed in 1.11.0 with
[https://github.com/apache/parquet-mr/commit/47398be76cfb6634000532e9432430c4676442dd#diff-c6f127eb650758aad91ecf02a2e52add]
Apache Avro, fixed in 1.9.x with
[https://github.com/apache/avro/commit/95234db14b7afca9593829f43c41a9851e08dcd7#diff-f5fe6838f0d551a0e3bca3774778b2eb]
Apache Hive, fixed in 3.x with
[https://github.com/apache/hive/commit/245c39b4c8f711fbc1c9c00df013e4c7fcbdc0a2]
Apache Hadoop 3.x versions are supported within Spark 2.4.x
Apache parquet-mq, appears to be a simple upgrade in pom.xml
Apache Avro, required a little more than a simple upgrade in pom.xml; but was
still simple.
Apache Hive 2.x was recently added to Spark 3.x, with
[https://github.com/apache/spark/commit/c98e5eb3396a6db92f2420e743afa9ddff319ca2]
bu upgrading to Hive 3.x was not as straightforward and will likely require a
lot more work.
Once these 4 dependencies have been updated; we should be out of using the
vulnerable codehaus-jackson jars.
> remove dependency on jackson-mapper-asl-1.9.13 and jackson-core-asl-1.9.13
> --------------------------------------------------------------------------
>
> Key: SPARK-30466
> URL: https://issues.apache.org/jira/browse/SPARK-30466
> Project: Spark
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.4.4, 3.0.0
> Reporter: Michael Burgener
> Priority: Major
> Labels: security
>
> These 2 libraries are deprecated and replaced by the jackson-databind
> libraries which are already included. These two libraries are flagged by our
> vulnerability scanners as having the following security vulnerabilities.
> I've set the priority to Major due to the Critical nature and hopefully they
> can be addressed quickly. Please note, I'm not a developer but work in
> InfoSec and this was flagged when we incorporated spark into our product. If
> you feel the priority is not set correctly please change accordingly. I'll
> watch the issue and flag our dev team to update once resolved.
> jackson-mapper-asl-1.9.13
> CVE-2018-7489 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>
> CVE-2017-7525 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>
> CVE-2017-17485 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>
> CVE-2017-15095 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>
> CVE-2018-5968 (CVSS 3.0 Score 8.1 High)
> [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
>
> jackson-core-asl-1.9.13
> CVE-2016-7051 (CVSS 3.0 Score 8.6 High)
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
