[
https://issues.apache.org/jira/browse/SPARK-30466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17553260#comment-17553260
]
Vulnk000 commented on SPARK-30466:
----------------------------------
Hello,
any update on this ticket?
I've been checking and some of those vulnerabilities already have exploits PoC
which makes more easy to later exploit on the final application.
* [https://github.com/BassinD/jackson-RCE] (CVE-2017-7525)
* [https://github.com/x7iaob/cve-2017-17485/blob/master/bean-payload.xml]
(CVE-2017-175485)
*
[https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095]
(not clear as it is in Japanese)
*
[https://github.com/x-f1v3/Vulnerability_Environment/blob/0b0c77b451c43de16adac0d7b1bb03c684d4cfc1/Jackson/backend/src/main/java/de/javan/jacksonrce/app/test.java]
([CVE-2018-5968|https://nvd.nist.gov/vuln/detail/CVE-2018-5968])
For the comments:
{noformat}
Hadoop 2.7 still depends on the libs, see
https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/2.7.0 . Even
if it is possible to remove the dependencies from Spark, they will be included
as transitive dependencies.
{noformat}
hadoop version now supported is 2.10. is it possible to move tho this version
instead? I don't really know if it solves the issues.
In the other hand, if there is no solution right now, can this vulnerabilities
being evaluated in order to confirm if application is vulnerable?
If this vulnerable code/libraries doesn't process inputs managed by 3rd
parties, like configuration files or external inputs parameters then this
vulnerabilities should not affect this application now, right?
> remove dependency on jackson-mapper-asl-1.9.13 and jackson-core-asl-1.9.13
> --------------------------------------------------------------------------
>
> Key: SPARK-30466
> URL: https://issues.apache.org/jira/browse/SPARK-30466
> Project: Spark
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.4.4, 3.0.0
> Reporter: Michael Burgener
> Priority: Major
> Labels: security
>
> These 2 libraries are deprecated and replaced by the jackson-databind
> libraries which are already included. These two libraries are flagged by our
> vulnerability scanners as having the following security vulnerabilities.
> I've set the priority to Major due to the Critical nature and hopefully they
> can be addressed quickly. Please note, I'm not a developer but work in
> InfoSec and this was flagged when we incorporated spark into our product. If
> you feel the priority is not set correctly please change accordingly. I'll
> watch the issue and flag our dev team to update once resolved.
> jackson-mapper-asl-1.9.13
> CVE-2018-7489 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>
> CVE-2017-7525 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>
> CVE-2017-17485 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>
> CVE-2017-15095 (CVSS 3.0 Score 9.8 CRITICAL)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>
> CVE-2018-5968 (CVSS 3.0 Score 8.1 High)
> [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
>
> jackson-core-asl-1.9.13
> CVE-2016-7051 (CVSS 3.0 Score 8.6 High)
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
