[
https://issues.apache.org/jira/browse/SPARK-32336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean R. Owen resolved SPARK-32336.
----------------------------------
Resolution: Invalid
Some of these are _Spark_ CVEs that are already resolved.
Some do not seem to affect Spark.
This isn't useful to dump the output of a static checker; which if any do think
affect spark and what's the resolution?
There is no further description here.
> 11 Critical & 4 High severity issues in Apcahe Spark 3.0.0 - dependency
> libraries
> ---------------------------------------------------------------------------------
>
> Key: SPARK-32336
> URL: https://issues.apache.org/jira/browse/SPARK-32336
> Project: Spark
> Issue Type: Bug
> Components: Build, Security
> Affects Versions: 3.0.0
> Environment: Generic Linux - but these dependencies are in the
> libraries that spark pulls in.
> Given that several of these are sveral yrs old, and highly severe (remote
> code execution is possible) these libraries are ripe for exploitation and it
> is highlt likly that exploits curretnly exist for these issues.
>
> Please upgrade the dependant libraries and run OWASP dependency check prior
> to all future releases/
> Reporter: Albert Baker
> Priority: Major
> Labels: easyfix, security
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> ||*[CVE-2018-1337|https://nvd.nist.gov/vuln/detail/CVE-2018-1337]*|In Apache
> Directory LDAP API before 1.0.2, - upgrade dependency to 1.0.2|
> ||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all
> versions of Apache Spark,|
> ||*[CVE-2017-15718|https://nvd.nist.gov/vuln/detail/CVE-2017-15718]*|The YARN
> NodeManager in Apache Hadoop 2.7.3 and 2.7.4 - upgrade lib|
> ||*[CVE-2018-21234|https://nvd.nist.gov/vuln/detail/CVE-2018-21234]*|Jodd
> before 5.0.4 performs Deserialization of Untrusted JSON Data when
> setClassMetadataName is set.|
> ||*[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571]*|Included
> in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of
> untrusted data which can be exploited to remotely execute arbitrary code when
> combined with a deserialization gadget when listening to untrusted network
> traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.|
> ||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all
> versions of Apache Spark, its standalone resource manager accepts code to
> execute on a 'master' host, that then runs that code on 'worker|
> ||*[CVE-2020-9480|https://nvd.nist.gov/vuln/detail/CVE-2020-9480]*|In Apache
> Spark 2.4.5 and earlier, a standalone resource manager's master may be
> configured to require authentication (spark.authenticate) via a shared
> secret.|
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
