It's a dependency of some other HTTP library. Use mvn dependency:tree to see where it comes from. It may be more straightforward to upgrade the library that brings it in, assuming a later version brings in a later okio. You can also manage up the version directly with a new entry in <dependencyManagement>
However, does this affect Spark? all else equal it doesn't hurt to upgrade, but wondering if there is even a theory that it needs to be updated. On Thu, Aug 31, 2023 at 7:42 AM Agrawal, Sanket <sankeagra...@deloitte.com> wrote: > I don’t see an entry in pom.xml while building spark. I think it is being > downloaded as part of some other dependency. > > > > *From:* Sean Owen <sro...@gmail.com> > *Sent:* Thursday, August 31, 2023 5:10 PM > *To:* Agrawal, Sanket <sankeagra...@deloitte.com> > *Cc:* user@spark.apache.org > *Subject:* [EXT] Re: Okio Vulnerability in Spark 3.4.1 > > > > Does the vulnerability affect Spark? > > In any event, have you tried updating Okio in the Spark build? I don't > believe you could just replace the JAR, as other libraries probably rely on > it and compiled against the current version. > > > > On Thu, Aug 31, 2023 at 6:02 AM Agrawal, Sanket < > sankeagra...@deloitte.com.invalid> wrote: > > Hi All, > > > > Amazon inspector has detected a vulnerability in okio-1.15.0.jar JAR in > Spark 3.4.1. It suggests to upgrade the jar version to 3.4.0. But when we > try this version of jar then the spark application is failing with below > error: > > > > py4j.protocol.Py4JJavaError: An error occurred while calling > None.org.apache.spark.api.java.JavaSparkContext. > > : java.lang.NoClassDefFoundError: okio/BufferedSource > > at okhttp3.internal.Util.<clinit>(Util.java:62) > > at okhttp3.OkHttpClient.<clinit>(OkHttpClient.java:127) > > at okhttp3.OkHttpClient$Builder.<init>(OkHttpClient.java:475) > > at > io.fabric8.kubernetes.client.okhttp.OkHttpClientFactory.newOkHttpClientBuilder(OkHttpClientFactory.java:41) > > at > io.fabric8.kubernetes.client.okhttp.OkHttpClientFactory.newBuilder(OkHttpClientFactory.java:56) > > at > io.fabric8.kubernetes.client.okhttp.OkHttpClientFactory.newBuilder(OkHttpClientFactory.java:68) > > at > io.fabric8.kubernetes.client.okhttp.OkHttpClientFactory.newBuilder(OkHttpClientFactory.java:30) > > at > io.fabric8.kubernetes.client.KubernetesClientBuilder.getHttpClient(KubernetesClientBuilder.java:88) > > at > io.fabric8.kubernetes.client.KubernetesClientBuilder.build(KubernetesClientBuilder.java:78) > > at > org.apache.spark.deploy.k8s.SparkKubernetesClientFactory$.createKubernetesClient(SparkKubernetesClientFactory.scala:120) > > at > org.apache.spark.scheduler.cluster.k8s.KubernetesClusterManager.createSchedulerBackend(KubernetesClusterManager.scala:111) > > at > org.apache.spark.SparkContext$.org$apache$spark$SparkContext$$createTaskScheduler(SparkContext.scala:3037) > > at org.apache.spark.SparkContext.<init>(SparkContext.scala:568) > > at > org.apache.spark.api.java.JavaSparkContext.<init>(JavaSparkContext.scala:58) > > at > java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > > at > java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown > Source) > > at > java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown > Source) > > at java.base/java.lang.reflect.Constructor.newInstance(Unknown > Source) > > at py4j.reflection.MethodInvoker.invoke(MethodInvoker.java:247) > > at > py4j.reflection.ReflectionEngine.invoke(ReflectionEngine.java:374) > > at py4j.Gateway.invoke(Gateway.java:238) > > at > py4j.commands.ConstructorCommand.invokeConstructor(ConstructorCommand.java:80) > > at > py4j.commands.ConstructorCommand.execute(ConstructorCommand.java:69) > > at > py4j.ClientServerConnection.waitForCommands(ClientServerConnection.java:182) > > at py4j.ClientServerConnection.run(ClientServerConnection.java:106) > > at java.base/java.lang.Thread.run(Unknown Source) > > Caused by: java.lang.ClassNotFoundException: okio.BufferedSource > > at > java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(Unknown Source) > > at > java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(Unknown > Source) > > at java.base/java.lang.ClassLoader.loadClass(Unknown Source) > > ... 26 more > > > > Replaced the existing jar with the JAR file at > https://repo1.maven.org/maven2/com/squareup/okio/okio/3.4.0/okio-3.4.0.jar > <https://secure-web.cisco.com/1bTvNPAJgVtYdy2nfHp1eUSEqLfelqshEI8TO89yzE25dM5y8HHDCwYxrzTLlmcAFi6uIbQLO2OiJht-xgXmI3lFdV8YpP0j3re47gncrBpwO9m6xYQeLhqXUAnUVP2MoxHbdHlZcdSwDqWkjbOKudm7Go1ICzxhw_VBXuK9n8XF3y7__B86mqWNsroDGD3hbH_tTQTHpXK-4tJCeIZTKmwItL1A3zlRL8lBHG_zgTDSiX9W7ufy8rHP2JZEp_FaftGMsnPA56IGHQVQAmOIobPSQDi4MfsiyUj0HsHPH3fZaz8_8TnPu178yfi8pCurkmr7b0X0NmFTdeAuFHKhdoOYooWDPsuBIYxknd3p1wLXrQezp26QrkjEiUMjNH9S18HPLH2BfN627X6zqQD7sVUUo1hzMRvnllVZVQWPL6H7lisyk-7w2pTAX6bm9wZuWTN9U4hZzjoc1-s1YumCiexaMOfiqEbTKppNDB8jOXBPIS9HDdEVDUl8OAIKz-T480x_NePZwHGT4hHtSwUaHCw/https%3A%2F%2Frepo1.maven.org%2Fmaven2%2Fcom%2Fsquareup%2Fokio%2Fokio%2F3.4.0%2Fokio-3.4.0.jar> > > > > > > PFB, the vulnerability details: > > Link: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 > <https://secure-web.cisco.com/1KDv1iIbxjIsZCdyvwVzp9hDXe9ClcztVaj_gKzaoEQJ0Qb1BrTG7ivs0bsKiKVJvN8BJ0KvCwQKgWJGRfrWZYTkrgVMl1RfmnIn2fTYgyXd5ATU-4FBIQstOXRlc1dQnRNW9jr8OZCqV_xqbzAuLEP--uh0URczU8BYxyefL4Ly6ntQ2Y0BtKEOq3LZflTianf1d3UH30m_mmQmt3pE_3S7qFc9R9I3NqWJmkxuYVC1gVhnWBpbelMz5P7Q8D4GXo_L7tgj_nPwQyAcwqLjaIUVf-SYPU8T-WsaxeDkW6gp5oNKuYFqDzxXghsRJxzOj7i5noa1bj3-uSj0f0tT8xZ3L42uUTNgHczw65Kt1WnUK2-A_yhTmEhg07yFdwKQha6bQyn2KoicHjcdlQzAWsRmbBgzVjhDKMGdPn9Mrm5V7lw1QgeoFmddSJsreHy6TcNY2dXtqEzhw-OX2ibRtOrCX4M_n1ONE73yhGXAhqarKsd1tl5IgDfp_MlsFe9bkMa9G2AK5pcO0GeI8r7yDXA/https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2023-3635> > > > > Any guidance here would be of great help. > > > > Thanks, > > Sanket A. > > This message (including any attachments) contains confidential information > intended for a specific individual and purpose, and is protected by law. If > you are not the intended recipient, you should delete this message and any > disclosure, copying, or distribution of this message, or the taking of any > action based on it, by you is strictly prohibited. > > Deloitte refers to a Deloitte member firm, one of its related entities, or > Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a > separate legal entity and a member of DTTL. DTTL does not provide services > to clients. Please see www.deloitte.com/about to learn more. > > v.E.1 > >