[ https://issues.apache.org/jira/browse/SPARK-36826?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean R. Owen resolved SPARK-36826. ---------------------------------- Resolution: Not A Problem > CVEs in libraries used in bundled jars > -------------------------------------- > > Key: SPARK-36826 > URL: https://issues.apache.org/jira/browse/SPARK-36826 > Project: Spark > Issue Type: Bug > Components: Spark Core > Affects Versions: 3.1.2 > Reporter: Carlos RodrÃguez Hernández > Priority: Major > > Hi, I found several CVEs in dependency libraries bundled in the > _aws-java-sdk-bundle_ jar. > We are using Spark 3.1.2, which bundles _hadoop-*_ jars version 3.2.0: > {code:bash} > $ curl -JLO > "https://ftp.cixug.es/apache/spark/spark-3.1.2/spark-3.1.2-bin-hadoop3.2.tgz" > $ tar xzf spark-3.1.2-bin-hadoop3.2.tgz > $ find spark-3.1.2-bin-hadoop3.2/jars -wholename '*/hadoop-*' > spark-3.1.2-bin-hadoop3.2/jars/hadoop-client-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-mapreduce-client-core-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-common-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-mapreduce-client-jobclient-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-auth-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-server-common-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-api-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-registry-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-annotations-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-client-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-hdfs-client-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-mapreduce-client-common-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-common-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/hadoop-yarn-server-web-proxy-3.2.0.jar > {code} > There is a dependency between _hadoop-aws_, _hadoop-common_, and > _hadoop-project_ versions, as well, the _aws-java-sdk_ one should match the > required by _hadoop-project_, due to this dependencies we are including > _hadoop-aws-3.2.0_ and _aws-java-sdk-bundle-1.11.375_: > {code:bash} > $ find spark-3.1.2-bin-hadoop3.2/jars -wholename > spark-3.1.2-bin-hadoop3.2/jars/hadoop-aws-3.2.0.jar > spark-3.1.2-bin-hadoop3.2/jars/aws-java-sdk-bundle-1.11.375.jar > {code} > Taking a look at the _hadoop-project_ pom, the _aws-java-sdk_ version is the > correct one: > {code:bash} > $ curl -JLO > "https://repo1.maven.org/maven2/org/apache/hadoop/hadoop-project/3.2.0/hadoop-project-3.2.0.pom" > $ cat hadoop-project-3.2.0.pom | grep aws-java-sdk > <aws-java-sdk.version>1.11.375</aws-java-sdk.version> > <artifactId>aws-java-sdk-bundle</artifactId> > <version>${aws-java-sdk.version}</version> > {code} > Do you think it would be possible to update the versions of the jars to solve > the vulnerabilities? > ---- > Please see below the CVE report for _jars/aws-java-sdk-bundle-1.11.375.jar_: > ||LIBRARY||VULNERABILITY ID||SEVERITY||INSTALLED VERSION||FIXED > VERSION||TITLE|| > |com.fasterxml.jackson.core:jackson-databind|CVE-2017-15095|CRITICAL|2.6.7.1|2.9.4, > 2.8.11|jackson-databind: Unsafe| > |com.fasterxml.jackson.core:jackson-databind|CVE-2017-17485|CRITICAL|2.6.7.1|2.8.11, > 2.9.4|jackson-databind: Unsafe| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-11307|CRITICAL|2.6.7.1|2.8.11.2, > 2.7.9.4, 2.9.6|jackson-databind: Potential| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14718|CRITICAL|2.6.7.1|2.7.9.5, > 2.8.11.3, 2.9.7|jackson-databind: arbitrary code| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14719|CRITICAL|2.6.7.1|2.7.9.5, > 2.8.11.3, 2.9.7|jackson-databind: arbitrary| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14720|CRITICAL|2.6.7.1|2.6.7.2, > 2.9.7|jackson-databind: exfiltration/XXE| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-14721|CRITICAL|2.6.7.1|2.6.7.2, > 2.9.7|jackson-databind: server-side request| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-19360|CRITICAL|2.6.7.1|2.6.7.3, > 2.7.9.5, 2.8.11.3|jackson-databind: improper| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-19361|CRITICAL|2.6.7.1|2.6.7.3, > 2.7.9.5, 2.8.11.3|jackson-databind: improper| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-19362|CRITICAL|2.6.7.1|2.6.7.3, > 2.7.9.5, 2.8.11.3|jackson-databind: improper| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-7489|CRITICAL|2.6.7.1|2.8.11.1, > 2.9.5|jackson-databind: incomplete fix| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14379|CRITICAL|2.6.7.1|2.9.9.2|jackson-databind: > default| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14540|CRITICAL|2.6.7.1|2.9.10|jackson-databind:| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14892|CRITICAL|2.6.7.1|2.9.10, > 2.8.11.5, 2.6.7.3|jackson-databind: Serialization| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14893|CRITICAL|2.6.7.1|2.8.11.5, > 2.9.10|jackson-databind:| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-16335|CRITICAL|2.6.7.1|2.9.10|jackson-databind:| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-16942|CRITICAL|2.6.7.1|2.9.10.1|jackson-databind:| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-16943|CRITICAL|2.6.7.1|2.9.10.1|jackson-databind:| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-17267|CRITICAL|2.6.7.1|2.9.10|jackson-databind: > Serialization| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-17531|CRITICAL|2.6.7.1|2.9.10.1|jackson-databind:| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-20330|CRITICAL|2.6.7.1|2.9.10.2, > 2.8.11.5|jackson-databind: lacks| > |com.fasterxml.jackson.core:jackson-databind|CVE-2020-8840|CRITICAL|2.6.7.1|2.9.10.3, > 2.8.11.5|jackson-databind: Lacks certain| > |com.fasterxml.jackson.core:jackson-databind|CVE-2020-9547|CRITICAL|2.6.7.1|2.9.10.4|jackson-databind: > Serialization| > |com.fasterxml.jackson.core:jackson-databind|CVE-2020-9548|CRITICAL|2.6.7.1|2.9.10.4|jackson-databind: > Serialization| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-12022|HIGH|2.6.7.1|2.8.11.2, > 2.7.9.4, 2.9.6|jackson-databind: improper| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-5968|HIGH|2.6.7.1|2.9.4, > 2.8.11|jackson-databind: unsafe| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-12086|HIGH|2.6.7.1|2.9.9|jackson-databind: > polymorphic| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-14439|HIGH|2.6.7.1|2.9.9.2|jackson-databind: > Polymorphic| > |com.fasterxml.jackson.core:jackson-databind|CVE-2020-10673|HIGH|2.6.7.1|2.9.10.4|jackson-databind: > mishandles| > |com.fasterxml.jackson.core:jackson-databind|CVE-2020-25649|HIGH|2.6.7.1|2.10.5.1, > 2.9.10.7, 2.6.7.4|jackson-databind: FasterXML| > |com.fasterxml.jackson.core:jackson-databind|CVE-2020-35490|HIGH|2.6.7.1|2.9.10.8|jackson-databind: > mishandles the interaction| > |com.fasterxml.jackson.core:jackson-databind|CVE-2020-35491|HIGH|2.6.7.1|2.9.10.8|jackson-databind: > mishandles the interaction| > |com.fasterxml.jackson.core:jackson-databind|CVE-2021-20190|HIGH|2.6.7.1|2.9.10.7|jackson-databind: > mishandles| > |com.fasterxml.jackson.core:jackson-databind|CVE-2018-1000873|MEDIUM|2.6.7.1|2.9.8|jackson-modules-java8: > DoS due| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-12384|MEDIUM|2.6.7.1|2.9.9.1|jackson-databind: > failure| > |com.fasterxml.jackson.core:jackson-databind|CVE-2019-12814|MEDIUM|2.6.7.1|2.9.9.1|jackson-databind: > polymorphic| > |io.netty:netty-codec-http|CVE-2021-21290|MEDIUM|4.1.17.Final|4.1.59.Final|netty: > Information disclosure via| > |io.netty:netty-handler|CVE-2019-20444|CRITICAL|4.1.17.Final|4.1.44|netty: > HTTP request smuggling| > |io.netty:netty-handler|CVE-2019-20445|CRITICAL|4.1.17.Final|4.1.45|netty: > HttpObjectDecoder.java allows| > |io.netty:netty-handler|CVE-2020-11612|HIGH|4.1.17.Final|4.1.46|netty: > compression/decompression| > |org.apache.httpcomponents:httpclient|CVE-2020-13956|MEDIUM|4.5.5|5.0.3, > 4.5.13|apache-httpclient: incorrect| -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org