[
https://issues.apache.org/jira/browse/SPARK-51035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17952027#comment-17952027
]
Yang Jie commented on SPARK-51035:
----------------------------------
Upgrading Derby requires waiting for the Derby community to release a new
v.10.16 version, Although Derby v.10.17 has resolved the issue, it necessitates
the use of at least Java 19, whereas Spark needs to be compatible with Java 17.
> Upgrade dependencies exposed to critical and high CVEs
> ------------------------------------------------------
>
> Key: SPARK-51035
> URL: https://issues.apache.org/jira/browse/SPARK-51035
> Project: Spark
> Issue Type: Dependency upgrade
> Components: PySpark
> Affects Versions: 4.0.0
> Reporter: Marina Gonzalez
> Priority: Critical
>
> Several outdated library dependencies still referenced in *PySpark 4.0.0*
> contain {*}high/critical security vulnerabilities (CVEs){*}. If not updated,
> these vulnerabilities could affect users who rely on PySpark for production
> workloads.
> *
> {color:#172b4d}[{*}derby{*}:|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]{color}
>
> _[v.10.16.1.1|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]_
> referenced by pyspark4.0.0 does [not
> resolve|https://mvnrepository.com/artifact/org.apache.derby/derby/10.16.1.1]
> the vulnerability ([NVD -
> CVE-2022-46337|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2022-46337])
> * {*}libfb303-0.9.3.jar{*}:
> [v.0.9.3|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L2486]
> is still referenced by pyspark4.0.0 does [not
> resolve|https://mvnrepository.com/artifact/org.apache.thrift/libfb303/0.9.3]
> some key vulnerabilities
> ** libfb303-0.9.3.jar comes from thrift v0.9.3 which is 10 years old (flag)
> * {*}janino-3.1.9.jar{*}:
> [v.3.1.9|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L200]
> still referenced by pyspark4.0.0 does [not
> resolve|https://nvd.nist.gov/vuln/detail/CVE-2023-33546] the vulnerability
> ([NVD -
> CVE-2023-33546|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2023-33546])
> These vulnerabilities affect Spark users by:
> * Exposing PySpark workflows to potential security risks.
> * Including outdated dependencies that lack recent security fixes.
> * Forcing users to patch Spark manually instead of using an official release.
> Expected Behaviour:
> * Ideally, the dependencies should be upgraded to their latest secure
> versions before the final release of PySpark 4.0.0.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
