[
https://issues.apache.org/jira/browse/SPARK-34511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17300575#comment-17300575
] Sean R. Owen commented on SPARK-34511: -------------------------------------- What on this list probably affects Spark? we generally don't accept lists of output from static analysis tools, but a) should upgrade deps if it's easy just in case and b) should work to upgrade deps if there's any reasonable theory that it affects Spark. What remains according to that criterion? > Current Security vulnerabilities in spark libraries > --------------------------------------------------- > > Key: SPARK-34511 > URL: https://issues.apache.org/jira/browse/SPARK-34511 > Project: Spark > Issue Type: Dependency upgrade > Components: Build > Affects Versions: 3.1.1 > Reporter: eoin > Priority: Major > Labels: security > Original Estimate: 168h > Remaining Estimate: 168h > > The following libraries have the following vulnerabilities that will fail > Nexus security scans. They are deemed as threats of level 7 and higher on the > Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies > as the are fixed in subsequent releases. > > [Update - still present]com.fasterxml.woodstox : woodstox-core : 5.0.3 * > [https://github.com/FasterXML/woodstox/issues/50] > * [https://github.com/FasterXML/woodstox/issues/51] > * [https://github.com/FasterXML/woodstox/issues/61] > [Update - still present]com.nimbusds : nimbus-jose-jwt : 4.41.1 * > [https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt] > * [https://connect2id.com/blog/nimbus-jose-jwt-7-9] > [Update - still present]Log4j : log4j : 1.2.17 > SocketServer class that is vulnerable to deserialization of untrusted data: > * https://issues.apache.org/jira/browse/LOG4J2-1863 > * > [https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E] > * [https://bugzilla.redhat.com/show_bug.cgi?id=1785616] > Dynamic-link Library (DLL) Preloading: > * [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323] > > [Fixed]-apache-xerces : xercesImpl : 2.9.1 * hash table collisions -> > https://issues.apache.org/jira/browse/XERCESJ-1685- > * > -[https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3cof3b40f5f7.e6552a8b-on85257d73.00699ed7-85257d73.006a9...@ca.ibm.com%3E]- > * [-https://bugzilla.redhat.com/show_bug.cgi?id=1019176-] > > [Update - still present]com.fasterxml.jackson.core : jackson-databind : > 2.10.0 * [https://github.com/FasterXML/jackson-databind/issues/2589] > > [Update - still present ]commons-beanutils : commons-beanutils : 1.9.3 * > [http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader] > * https://issues.apache.org/jira/browse/BEANUTILS-463 > > [Update - still present ]commons-io : commons-io : 2.5 * > [https://github.com/apache/commons-io/pull/52] > * https://issues.apache.org/jira/browse/IO-556 > * https://issues.apache.org/jira/browse/IO-559 > > [Upgraded to 4.1.51.Final still with vulnerabilities, see new below]-io.netty > : netty-all : 4.1.47.Final * [https://github.com/netty/netty/issues/10351]- > * [-https://github.com/netty/netty/pull/10560-] > > [Update - still present]org.apache.commons : commons-compress : 1.18 * > [https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities] > > [Update - changed to > org.apache.hadoop : hadoop-hdfs-client : 3.2.0 see new below > ]-org.apache.hadoop : hadoop-hdfs : 2.7.4 * > [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]- > * > -[https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]- > * -[https://hadoop.apache.org/cve_list.html]- > * -[https://www.openwall.com/lists/oss-security/2019/01/24/3]- > -- > -org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 * > [https://bugzilla.redhat.com/show_bug.cgi?id=1516399]- > * > -[https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]- > > [Update - still present]org.codehaus.jackson : jackson-mapper-asl : 1.9.13 * > [https://github.com/FasterXML/jackson-databind/issues/1599] > * [https://blog.sonatype.com/jackson-databind-remote-code-execution] > * [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist] > * [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525] > * [https://access.redhat.com/security/cve/cve-2019-10172] > * [https://bugzilla.redhat.com/show_bug.cgi?id=1715075] > * [https://nvd.nist.gov/vuln/detail/CVE-2019-10172] > > [Update - still present]org.eclipse.jetty : jetty-http : 9.3.24.v20180605: * > [https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096] > > [Update -still present]org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 * > [https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921] > * [https://github.com/eclipse/jetty.project/issues/5451] > * > [https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6 > ] > New: > datatables 1.10.7 > * > [https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765] > jquery 3.3.1 > * [https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/] > * [https://github.com/cbeust/testng/issues/2150] > > net.minidev : json-smart : 2.3 * > [https://github.com/netplex/json-smart-v1/issues/7] > * [https://github.com/netplex/json-smart-v2/issues/60] > > org.apache.hadoop : hadoop-yarn-common : 3.2.0 * > [https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/] > * [https://github.com/cbeust/testng/issues/2150] > * > [https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765] > > com.squareup.okhttp : okhttp : 2.7.5 * > [https://source.android.com/security/bulletin/2021-02-01#android-runtime] > > io.netty : netty-all : 4.1.51.Final * > [https://github.com/netty/netty/issues/10351] > * [https://github.com/netty/netty/pull/10560] > > org.apache.hadoop : hadoop-hdfs-client : 3.2.0 > * > [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
