[jira] [Updated] (SPARK-34511) Current Security vulnerabilities in spark libraries

Tue, 23 Feb 2021 13:16:07 -0800 


     [ 
https://issues.apache.org/jira/browse/SPARK-34511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dongjoon Hyun updated SPARK-34511:
----------------------------------
    Component/s:     (was: Spark Core)
                 Build

> Current Security vulnerabilities in spark libraries
> ---------------------------------------------------
>
>                 Key: SPARK-34511
>                 URL: https://issues.apache.org/jira/browse/SPARK-34511
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Build
>    Affects Versions: 3.0.1
>            Reporter: eoin
>            Priority: Major
>              Labels: security
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> The following libraries have the following vulnerabilities that will fail 
> Nexus security scans. They are deemed as threats of level 7 and higher on the 
> Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies 
> as the are fixed in subsequent releases.
>  
> com.fasterxml.woodstox : woodstox-core : 5.0.3 * 
> [https://github.com/FasterXML/woodstox/issues/50]
>  * [https://github.com/FasterXML/woodstox/issues/51]
>  * [https://github.com/FasterXML/woodstox/issues/61]
> com.nimbusds : nimbus-jose-jwt : 4.41.1 * 
> [https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt]
>  * [https://connect2id.com/blog/nimbus-jose-jwt-7-9]
> Log4j : log4j : 1.2.17
> SocketServer class that is vulnerable to deserialization of untrusted data: * 
> https://issues.apache.org/jira/browse/LOG4J2-1863
>  * 
> [https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E]
>  * [https://bugzilla.redhat.com/show_bug.cgi?id=1785616]
> Dynamic-link Library (DLL) Preloading:
>  * [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323]
>  
> apache-xerces : xercesImpl : 2.9.1 * hash table collisions -> 
> https://issues.apache.org/jira/browse/XERCESJ-1685
>  * 
> [https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3cof3b40f5f7.e6552a8b-on85257d73.00699ed7-85257d73.006a9...@ca.ibm.com%3E]
>  * [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]
>  
> com.fasterxml.jackson.core : jackson-databind : 2.10.0 * 
> [https://github.com/FasterXML/jackson-databind/issues/2589]
>  
> commons-beanutils : commons-beanutils : 1.9.3 * 
> [http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader]
>  * https://issues.apache.org/jira/browse/BEANUTILS-463
>  
> commons-io : commons-io : 2.5 * [https://github.com/apache/commons-io/pull/52]
>  * https://issues.apache.org/jira/browse/IO-556
>  * https://issues.apache.org/jira/browse/IO-559
>  
> io.netty : netty-all : 4.1.47.Final * 
> [https://github.com/netty/netty/issues/10351]
>  * [https://github.com/netty/netty/pull/10560]
>  
> org.apache.commons : commons-compress : 1.18 * 
> [https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities]
>  
> org.apache.hadoop : hadoop-hdfs : 2.7.4 * 
> [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]
>  * 
> [https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]
>  * [https://hadoop.apache.org/cve_list.html]
>  * [https://www.openwall.com/lists/oss-security/2019/01/24/3]
>  
> org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 * 
> [https://bugzilla.redhat.com/show_bug.cgi?id=1516399]
>  * 
> [https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]
>  
> org.codehaus.jackson : jackson-mapper-asl : 1.9.13 * 
> [https://github.com/FasterXML/jackson-databind/issues/1599]
>  * [https://blog.sonatype.com/jackson-databind-remote-code-execution]
>  * [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist]
>  * [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
>  * [https://access.redhat.com/security/cve/cve-2019-10172]
>  * [https://bugzilla.redhat.com/show_bug.cgi?id=1715075]
>  * [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]
>  
> org.eclipse.jetty : jetty-http : 9.3.24.v20180605: * 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096]
>  
> org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 * 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921]
>  * [https://github.com/eclipse/jetty.project/issues/5451]
>  * 
> [https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to