[ https://issues.apache.org/jira/browse/SPARK-32336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean R. Owen resolved SPARK-32336. ---------------------------------- Resolution: Invalid Some of these are _Spark_ CVEs that are already resolved. Some do not seem to affect Spark. This isn't useful to dump the output of a static checker; which if any do think affect spark and what's the resolution? There is no further description here. > 11 Critical & 4 High severity issues in Apcahe Spark 3.0.0 - dependency > libraries > --------------------------------------------------------------------------------- > > Key: SPARK-32336 > URL: https://issues.apache.org/jira/browse/SPARK-32336 > Project: Spark > Issue Type: Bug > Components: Build, Security > Affects Versions: 3.0.0 > Environment: Generic Linux - but these dependencies are in the > libraries that spark pulls in. > Given that several of these are sveral yrs old, and highly severe (remote > code execution is possible) these libraries are ripe for exploitation and it > is highlt likly that exploits curretnly exist for these issues. > > Please upgrade the dependant libraries and run OWASP dependency check prior > to all future releases/ > Reporter: Albert Baker > Priority: Major > Labels: easyfix, security > Original Estimate: 24h > Remaining Estimate: 24h > > ||*[CVE-2018-1337|https://nvd.nist.gov/vuln/detail/CVE-2018-1337]*|In Apache > Directory LDAP API before 1.0.2, - upgrade dependency to 1.0.2| > ||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all > versions of Apache Spark,| > ||*[CVE-2017-15718|https://nvd.nist.gov/vuln/detail/CVE-2017-15718]*|The YARN > NodeManager in Apache Hadoop 2.7.3 and 2.7.4 - upgrade lib| > ||*[CVE-2018-21234|https://nvd.nist.gov/vuln/detail/CVE-2018-21234]*|Jodd > before 5.0.4 performs Deserialization of Untrusted JSON Data when > setClassMetadataName is set.| > ||*[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571]*|Included > in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of > untrusted data which can be exploited to remotely execute arbitrary code when > combined with a deserialization gadget when listening to untrusted network > traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.| > ||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all > versions of Apache Spark, its standalone resource manager accepts code to > execute on a 'master' host, that then runs that code on 'worker| > ||*[CVE-2020-9480|https://nvd.nist.gov/vuln/detail/CVE-2020-9480]*|In Apache > Spark 2.4.5 and earlier, a standalone resource manager's master may be > configured to require authentication (spark.authenticate) via a shared > secret.| -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org