[ https://issues.apache.org/jira/browse/SPARK-36134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17380695#comment-17380695 ]
Erik Krogen commented on SPARK-36134: ------------------------------------- Jackson is already 2.12.3 (from [pom.xml|https://github.com/apache/spark/blob/fd06cc211d7d1579067ad717da9976aabd71b70d/pom.xml#L170]): {code} <fasterxml.jackson.version>2.12.3</fasterxml.jackson.version> {code} So what's the issue? > jackson-databind RCE vulnerability [Need to upgrade to 2.9.3.1] > --------------------------------------------------------------- > > Key: SPARK-36134 > URL: https://issues.apache.org/jira/browse/SPARK-36134 > Project: Spark > Issue Type: Task > Components: Java API > Affects Versions: 3.1.2, 3.1.3 > Reporter: Sumit > Priority: Major > > Need to upgrade jackson-databind version to *2.9.3.1* > At the beginning of 2018, jackson-databind was reported to contain another > remote code execution (RCE) vulnerability (CVE-2017-17485) that affects > versions 2.9.3 and earlier, 2.7.9.1 and earlier, and 2.8.10 and earlier. This > vulnerability is caused by jackson-dababind’s incomplete blacklist. An > application that uses jackson-databind will become vulnerable when the > enableDefaultTyping method is called via the ObjectMapper object within the > application. An attacker can thus compromise the application by sending > maliciously crafted JSON input to gain direct control over a server. > Currently, a proof of concept (POC) exploit for this vulnerability has been > publicly available. All users who are affected by this vulnerability should > upgrade to the latest versions as soon as possible to fix this issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org