[jira] [Commented] (SPARK-32502) Please fix CVE related to Guava 14.0.1

Sun, 16 Aug 2020 10:25:44 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-32502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17178559#comment-17178559
 ] 

Sean R. Owen commented on SPARK-32502:
--------------------------------------

Yes it's shaded. The problem is that Hadoop < 3.2.1 and current Hive versions 
can't use the latest Guava, and that's all packaged together. Even if we wanted 
to update it - and we have forever - it won't quite work. 

generally, the answer is: is this CVE actually a problem? scanners have no 
idea. I can't say for sure but it doesn't look like it.

If the fix is in LimitedInputStream maybe we can just apply the patch, as 
indeed we had to copy it to keep it working across Guava 11, Guava 14-dependent 
libraries (which may no longer be needed)

BTW this duplicated a few times already.

> Please fix CVE related to Guava 14.0.1
> --------------------------------------
>
>                 Key: SPARK-32502
>                 URL: https://issues.apache.org/jira/browse/SPARK-32502
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 3.0.0
>            Reporter: Rodney Aaron Stainback
>            Priority: Major
>
> Please fix the following CVE related to Guava 14.0.1
> |cve|severity|cvss|
> |CVE-2018-10237|medium|5.9|
>  
> Our security team is trying to block us from using spark because of this issue
>  
> One thing that's very weird is I see from this [pom 
> file|[https://github.com/apache/spark/blob/v3.0.0/common/network-common/pom.xml]]
>  you reference guava but it's not clear what version.
>  
> But if I look on 
> [maven|[https://mvnrepository.com/artifact/org.apache.spark/spark-network-common_2.12/3.0.0]]
>  the guava reference is not showing up
>  
> Is this reference somehow being shaded into the network common jar?  It's not 
> clear to me.
>  
> Also, I've noticed code like [this 
> file|[https://github.com/apache/spark/blob/v3.0.0/common/network-common/src/main/java/org/apache/spark/network/util/LimitedInputStream.java]]
>  which is a copy-paste of some guava source code.
>  
> The CVE scanner we use Twistlock/Palo Alto Networks - Prisma Cloud Compute 
> Edition is very thorough and will find CVEs in copy-pasted code and shaded 
> jars.
>  
> Please fix this CVE so we can use spark



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to