Hello Manohara, Thank you for your question. When an advisory is published for a dependency, more often than not, the project does not use the dependency in a way that is affected by the problem described in the advisory. For this reason we don't accept the simple fact that an advisory exists for a dependency as a security issue in itself. If you have done any analysis to confirm the issue described in the advisory does impact this project, please share that information with us privately. Likewise, if you have verified the issue does not impact spark, it would be appreciated to contribute that information. In any case, you can work with us to get this dependency updated through the regular open contribution channels: you might want to review https://spark.apache.org/contributing.html .
In this case, it might also be worth investigating how this list of components is constructed: it seems surprising that there is a dependency on spark-core_2.12:3.3.2 if you say you're running on version 3.5.1? Kind regards, Arnout Engelen ASF Security. On Wed, Mar 20, 2024 at 5:54 PM Manohara Raju via security < secur...@apache.org> wrote: > Hi Team, > > > > Please could you let us know if the below known impacted libraries are > going to be upgraded to latest version in the upcoming release? > > > > Appreciate if your timely response that would help us to plan for upgrade > to mitigate the these security issues. > > > > > > *Severity* > > *CVES* > > *Vulnerable Component* > > Critical > > CVE-2023-44981 > > gav://org.apache.zookeeper:zookeeper:3.6.3 > > Critical > > CVE-2019-10202 > > gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13 > > Critical > > CVE-2022-46337 > > gav://org.apache.derby:derby:10.14.2.0 > > Critical > > CVE-2023-22946 > > gav://org.apache.spark:spark-core_2.12:3.3.2 > > Critical > > CVE-2019-10202 > > gav://io.netty:netty-codec-http2:4.1.86.Final > > Critical > > CVE-2022-46337 > > gav://net.minidev:json-smart:1.3.2 > > Critical > > CVE-2023-44981 > > gav://com.google.guava:guava:14.0.1 > > High > > CVE-2023-44487 > > gav://com.google.protobuf:protobuf-java:3.3.0 > > High > > CVE-2023-1370 > > gav://com.fasterxml.jackson.core:jackson-databind:2.12.7 > > High > > CVE-2023-2976 > > gav://org.apache.thrift:libthrift:0.12.0 > > High > > CVE-2023-2976 > > gav://com.google.protobuf:protobuf-java:3.7.1 > > High > > CVE-2023-2976 > > gav://org.apache.ivy:ivy:2.5.1 > > High > > CVE-2022-3171 > > gav://org.apache.mesos:mesos:1.4.3 > > High > > CVE-2022-42004 > > gav://com.fasterxml.woodstox:woodstox-core:5.3.0 > > High > > CVE-2019-0210 > > gav://org.apache.avro:avro:1.11.2 > > High > > CVE-2022-3510 > > gav://io.netty:netty-codec-http2:4.1.96.Final > > High > > CVE-2022-46751 > > gav://org.xerial.snappy:snappy-java:1.1.10.3 > > High > > CVE-2018-1330 > > gav://com.squareup.okhttp3:okhttp:3.12.12 > > High > > CVE-2022-40152 > > gav://org.apache.avro:avro:1.7.7 > > High > > CVE-2023-39410 > > gav://com.google.guava:guava:30.1.1-jre > > High > > CVE-2023-44487 > > gav://com.squareup.okio:okio:1.15.0 > > High > > CVE-2023-43642 > > gav://com.google.code.gson:gson:2.2.4 > > High > > CVE-2021-0341 > > gav://org.json:json:20211205 > > High > > CVE-2023-39410 > > gav://mysql:mysql-connector-java:8.0.30 > > High > > CVE-2023-2976 > > gav://org.apache.commons:commons-compress:1.21 > > High > > CVE-2023-2976 > > gav://org.eclipse.jetty:jetty-http:9.4.43.v20210629 > > High > > CVE-2023-3635 > > gav://commons-net:commons-net:3.6 > > High > > CVE-2023-1370 > > gav://io.netty:netty-handler:4.1.86.Final > > High > > CVE-2023-39410 > > gav://org.apache.commons:commons-compress:1.23.0 > > High > > CVE-2022-3171 > > gav://org.eclipse.jetty:jetty-server:9.4.48.v20220622 > > High > > CVE-2022-42004 > > gav://com.fasterxml.jackson.core:jackson-databind:2.15.2 > > High > > CVE-2022-25647 > > gav://com.fasterxml.jackson.core:jackson-databind:2.13.4.2 > > High > > CVE-2022-45688 > > gav://org.eclipse.jetty:jetty-servlets:9.4.48.v20220622 > > High > > CVE-2023-22102 > > gav://org.eclipse.jetty:jetty-http:9.4.48.v20220622 > > High > > CVE-2019-0210 > > gav://org.slf4j:jcl-over-slf4j:2.0.7 > > High > > CVE-2022-46751 > > gav://org.slf4j:slf4j-api:1.7.12 > > High > > CVE-2023-39410 > > gav://org.slf4j:slf4j-api:2.0.7 > > High > > CVE-2022-3171 > > gav://org.slf4j:jul-to-slf4j:2.0.7 > > High > > CVE-2018-1330 > > gav://org.slf4j:slf4j-api:1.7.25 > > High > > CVE-2022-40152 > > gav://org.slf4j:slf4j-api:1.7.30 > > High > > CVE-2021-0341 > > gav://com.nimbusds:nimbus-jose-jwt:9.8.1 > > > > Thanks, > > Manohar > > The information in this e-mail and any attachments is confidential and may > be legally privileged. It is intended solely for the addressee or > addressees. Any use or disclosure of the contents of this > e-mail/attachments by a not intended recipient is unauthorized and may be > unlawful. If you have received this e-mail in error please notify the > sender. Please note that any views or opinions presented in this e-mail are > solely those of the author and do not necessarily represent those of > TEMENOS. We recommend that you check this e-mail and any attachments > against viruses. TEMENOS accepts no liability for any damage caused by any > malicious code or virus transmitted by this e-mail. >
