RE: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
Hi Owen As confirmed with our firm appsec team, given the library is still being used in spark3.3.1. Also I can see the dependency as below: https://github.com/apache/spark/blob/v3.3.1/pom.xml#L1784 Something misunderstanding? appreciate if you could clarify more, thanks. Regards Harper From: Sean Owen Sent: Wednesday, December 14, 2022 10:27 PM To: Wang, Harper (FRPPE) Cc: user@spark.apache.org Subject: Re: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl The CVE you mention seems to affect jackson-databind, not jackson-mapper-asl. 3.3.1 already uses databind 2.13.x which is not affected. On Wed, Dec 14, 2022 at 8:20 AM haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com> mailto:haibo.w...@morganstanley.com>> wrote: Thanks Owen for prompt response sorry, forgot to mention, it’s latest spark version 3.3.1 Both below spark-py image or pypi are good to use for us, but both have same Jackson-mapper-asl dependencies. https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore https://pypi.org/project/pyspark/ Regards Harper From: Sean Owen mailto:sro...@gmail.com>> Sent: Wednesday, December 14, 2022 9:32 PM To: Wang, Harper (FRPPE) mailto:haibo.w...@morganstanley.com>> Cc: user@spark.apache.org<mailto:user@spark.apache.org> Subject: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl What Spark version are you referring to? If it's an unsupported version, no, no plans to update it. What image are you referring to? On Wed, Dec 14, 2022 at 7:14 AM haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com> mailto:haibo.w...@morganstanley.com>> wrote: Hi All Hope you are doing well. Writing this email for an vulnerable issue: CVE-2018-14721 apache/spark-py: gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 <= Version <= 1.9.13 We are trying to bring in above image into our firm, but due to the vulnerable issue, pyspark is not allowed, understand the version was stopped maintaining in 2013, wondering any plan to replace the Jackson-mapper-asl or any workaround? thanks Regards Harper Wang Morgan Stanley | Corporate & Funding Technology Kerry Parkside | 1155 Fang Dian Road, Pudong New Area 201204 Shanghai haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com> NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure. NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure. NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.
Re: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
Please read the CVE you mention. It is not a CVE about the library you are referencing. https://nvd.nist.gov/vuln/detail/CVE-2018-14721 On Thu, Dec 15, 2022 at 7:52 PM haibo.w...@morganstanley.com < haibo.w...@morganstanley.com> wrote: > Hi Owen > > > > As confirmed with our firm appsec team, given the library is still being > used in spark3.3.1. Also I can see the dependency as below: > > https://github.com/apache/spark/blob/v3.3.1/pom.xml#L1784 > > > > Something misunderstanding? appreciate if you could clarify more, thanks. > > > > Regards > > Harper > > > > *From:* Sean Owen > *Sent:* Wednesday, December 14, 2022 10:27 PM > *To:* Wang, Harper (FRPPE) > *Cc:* user@spark.apache.org > *Subject:* Re: [EXTERNAL] Re: [Spark vulnerability] replace > jackson-mapper-asl > > > > The CVE you mention seems to affect jackson-databind, not > jackson-mapper-asl. 3.3.1 already uses databind 2.13.x which is not > affected. > > > > On Wed, Dec 14, 2022 at 8:20 AM haibo.w...@morganstanley.com < > haibo.w...@morganstanley.com> wrote: > > Thanks Owen for prompt response > > sorry, forgot to mention, it’s latest spark version 3.3.1 > > Both below spark-py image or pypi are good to use for us, but both have > same Jackson-mapper-asl dependencies. > > > > > https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore > > https://pypi.org/project/pyspark/ > > > > Regards > > Harper > > > > > > *From:* Sean Owen > *Sent:* Wednesday, December 14, 2022 9:32 PM > *To:* Wang, Harper (FRPPE) > *Cc:* user@spark.apache.org > *Subject:* [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl > > > > What Spark version are you referring to? If it's an unsupported version, > no, no plans to update it. > > What image are you referring to? > > > > On Wed, Dec 14, 2022 at 7:14 AM haibo.w...@morganstanley.com < > haibo.w...@morganstanley.com> wrote: > > Hi All > > > > Hope you are doing well. > > > > Writing this email for an vulnerable issue: CVE-2018-14721 > > apache/spark-py: > gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 > <= Version <= 1.9.13 > > > > We are trying to bring in above image into our firm, but due to the > vulnerable issue, pyspark is not allowed, understand the version was > stopped maintaining in 2013, wondering any plan to replace the > Jackson-mapper-asl or any workaround? thanks > > > > Regards > > Harper Wang > > *Morgan Stanley | Corporate & Funding Technology*Kerry Parkside | > 1155 Fang Dian Road, Pudong New Area > 201204 Shanghai > haibo.w...@morganstanley.com > > > > -- > > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > > > -- > > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > > > -- > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > >
Re: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
The CVE you mention seems to affect jackson-databind, not jackson-mapper-asl. 3.3.1 already uses databind 2.13.x which is not affected. On Wed, Dec 14, 2022 at 8:20 AM haibo.w...@morganstanley.com < haibo.w...@morganstanley.com> wrote: > Thanks Owen for prompt response > > sorry, forgot to mention, it’s latest spark version 3.3.1 > > Both below spark-py image or pypi are good to use for us, but both have > same Jackson-mapper-asl dependencies. > > > > > https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore > > https://pypi.org/project/pyspark/ > > > > Regards > > Harper > > > > > > *From:* Sean Owen > *Sent:* Wednesday, December 14, 2022 9:32 PM > *To:* Wang, Harper (FRPPE) > *Cc:* user@spark.apache.org > *Subject:* [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl > > > > What Spark version are you referring to? If it's an unsupported version, > no, no plans to update it. > > What image are you referring to? > > > > On Wed, Dec 14, 2022 at 7:14 AM haibo.w...@morganstanley.com < > haibo.w...@morganstanley.com> wrote: > > Hi All > > > > Hope you are doing well. > > > > Writing this email for an vulnerable issue: CVE-2018-14721 > > apache/spark-py: > gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 > <= Version <= 1.9.13 > > > > We are trying to bring in above image into our firm, but due to the > vulnerable issue, pyspark is not allowed, understand the version was > stopped maintaining in 2013, wondering any plan to replace the > Jackson-mapper-asl or any workaround? thanks > > > > Regards > > Harper Wang > > *Morgan Stanley | Corporate & Funding Technology*Kerry Parkside | > 1155 Fang Dian Road, Pudong New Area > 201204 Shanghai > haibo.w...@morganstanley.com > > > > -- > > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > > > -- > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the Morgan Stanley General Disclaimers found at > http://www.morganstanley.com/disclaimers/terms. The entire content of > this email message and any files attached to it may be sensitive, > confidential, subject to legal privilege and/or otherwise protected from > disclosure. > >
RE: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl
Thanks Owen for prompt response sorry, forgot to mention, it’s latest spark version 3.3.1 Both below spark-py image or pypi are good to use for us, but both have same Jackson-mapper-asl dependencies. https://hub.docker.com/layers/apache/spark-py/3.3.1/images/sha256-0d4fd8bcb2ad63a35c9ba5be278a3a34c28fc15e898307e458d501a7e11d6d51?context=explore https://pypi.org/project/pyspark/ Regards Harper From: Sean Owen Sent: Wednesday, December 14, 2022 9:32 PM To: Wang, Harper (FRPPE) Cc: user@spark.apache.org Subject: [EXTERNAL] Re: [Spark vulnerability] replace jackson-mapper-asl What Spark version are you referring to? If it's an unsupported version, no, no plans to update it. What image are you referring to? On Wed, Dec 14, 2022 at 7:14 AM haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com> mailto:haibo.w...@morganstanley.com>> wrote: Hi All Hope you are doing well. Writing this email for an vulnerable issue: CVE-2018-14721 apache/spark-py: gav://org.codehaus.jackson:jackson-mapper-asl:1.9.13,CVE-2018-14721,1.8.10-cloudera.2,1.5.0 <= Version <= 1.9.13 We are trying to bring in above image into our firm, but due to the vulnerable issue, pyspark is not allowed, understand the version was stopped maintaining in 2013, wondering any plan to replace the Jackson-mapper-asl or any workaround? thanks Regards Harper Wang Morgan Stanley | Corporate & Funding Technology Kerry Parkside | 1155 Fang Dian Road, Pudong New Area 201204 Shanghai haibo.w...@morganstanley.com<mailto:haibo.w...@morganstanley.com> NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure. NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the Morgan Stanley General Disclaimers found at http://www.morganstanley.com/disclaimers/terms. The entire content of this email message and any files attached to it may be sensitive, confidential, subject to legal privilege and/or otherwise protected from disclosure.