[
https://issues.apache.org/jira/browse/SPARK-51035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17985049#comment-17985049
]
Yaniv Kunda commented on SPARK-51035:
-------------------------------------
[~LuciferYang] I don't think it's possible for user input to be passed to
Janino, but I feel [~marinagonzalez]'s request from an operational perspective:
When faced with auditing (e.g. in case of FedRAMP validation) - the existence
of vulnerable dependencies needs either a resolution or an explanation (to
warrant an exemption); it's can be hard enough to prove an application cannot
be used in a way that exploits a vulnerability in a direct dependency - but
it's much harder to do so for transitive dependencies.
Patching these by Spark users can be problematic as well - creating possible
runtime issues.
[~chengpan] libfb303 is indeed the latest version, but has not been released
since 2015 - and I couldn't find any actual usages in the project.
If it makes sense, I can try and upgrade these and see how tests fare.
Regarding Derby, recent discussions hint that it's not going to be updated for
the 10.16 branch soon -
https://issues.apache.org/jira/browse/DERBY-7147
> Upgrade dependencies exposed to critical and high CVEs
> ------------------------------------------------------
>
> Key: SPARK-51035
> URL: https://issues.apache.org/jira/browse/SPARK-51035
> Project: Spark
> Issue Type: Dependency upgrade
> Components: PySpark
> Affects Versions: 4.0.0
> Reporter: Marina Gonzalez
> Priority: Critical
>
> Several outdated library dependencies still referenced in *PySpark 4.0.0*
> contain {*}high/critical security vulnerabilities (CVEs){*}. If not updated,
> these vulnerabilities could affect users who rely on PySpark for production
> workloads.
> *
> {color:#172b4d}[{*}derby{*}:|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]{color}
>
> _[v.10.16.1.1|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]_
> referenced by pyspark4.0.0 does [not
> resolve|https://mvnrepository.com/artifact/org.apache.derby/derby/10.16.1.1]
> the vulnerability ([NVD -
> CVE-2022-46337|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2022-46337])
> * {*}libfb303-0.9.3.jar{*}:
> [v.0.9.3|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L2486]
> is still referenced by pyspark4.0.0 does [not
> resolve|https://mvnrepository.com/artifact/org.apache.thrift/libfb303/0.9.3]
> some key vulnerabilities
> ** libfb303-0.9.3.jar comes from thrift v0.9.3 which is 10 years old (flag)
> * {*}janino-3.1.9.jar{*}:
> [v.3.1.9|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L200]
> still referenced by pyspark4.0.0 does [not
> resolve|https://nvd.nist.gov/vuln/detail/CVE-2023-33546] the vulnerability
> ([NVD -
> CVE-2023-33546|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2023-33546])
> These vulnerabilities affect Spark users by:
> * Exposing PySpark workflows to potential security risks.
> * Including outdated dependencies that lack recent security fixes.
> * Forcing users to patch Spark manually instead of using an official release.
> Expected Behaviour:
> * Ideally, the dependencies should be upgraded to their latest secure
> versions before the final release of PySpark 4.0.0.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
