the api doesn't get used in the hadoop libraries; not sure about other dependencies.
probably makes sense to say on the jira that there's no need to panic here; I've had to start doing that as some of the security scanners appear to overreact https://issues.apache.org/jira/browse/HDFS-16766 On Thu, 27 Oct 2022 at 16:56, Sean Owen <sro...@gmail.com> wrote: > Right. It seems there is only one direct use of that part of commons-text, > and it is not applied to user-supplied inputs (reads and substitutes into > error message templates). > At a glance I do not see how it would affect Spark; it's not impossible > that it does. In any event, commons-text is being updated anyway in branch > 3.2 and later, so this will be updated in maintained branches eventually. > It missed the 3.3.1 release, but my message is, it's also not even clear it > matters to Spark. > > I don't think this would become a Spark CVE; it affects commons-text. > Sometimes CVEs note other affected software products when they are > widely-used and very directly affected. But typically they would not list > every single downstream user, let alone generate separate CVEs, and in any > event here I do not see an argument that it affects Spark anyway. > > On Thu, Oct 27, 2022 at 10:08 AM Pastrana, Rodrigo (RIS-BCT) < > rodrigo.pastr...@lexisnexisrisk.com> wrote: > >> Thanks Sean, >> >> I assume Spark’s not affected because it either doesn’t reference the >> affected API(s) or because it does not unsafely utilize user input through >> the vulnerable API(s), but is there an official statement about this from >> Spark? >> >> We weren’t able to find references to 2022-42889 here: >> https://spark.apache.org/security.html (likely because Spark determined >> it is not affected?) >> >> >> >> *From:* Sean Owen <sro...@gmail.com> >> *Sent:* Thursday, October 27, 2022 10:27 AM >> *To:* Pastrana, Rodrigo (RIS-BCT) >> <rodrigo.pastr...@lexisnexisrisk.com.invalid> >> *Cc:* dev@spark.apache.org >> *Subject:* Re: CVE-2022-42889 >> >> >> >> You don't often get email from sro...@gmail.com. Learn why this is >> important <https://aka.ms/LearnAboutSenderIdentification> >> >> **** External email: use caution **** >> >> >> >> Probably a few months between maintenance releases. >> >> It does not appear to affect Spark, however. >> >> >> >> On Thu, Oct 27, 2022 at 9:24 AM Pastrana, Rodrigo (RIS-BCT) < >> rodrigo.pastr...@lexisnexisrisk.com.invalid> wrote: >> >> Hello, >> >> This issue (SPARK-40801) >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FSPARK-40801&data=05%7C01%7CRodrigo.Pastrana%40lexisnexisrisk.com%7C507dc12538bf44d2646d08dab8276a76%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C638024776687375556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wZV1KpRw248DOPuWkJ2qjDNK9DwN4zFIgL6z2g0MOkw%3D&reserved=0> >> which addresses CVE-2022-42889 doesn’t seem to have been included in the >> latest release (3.3.1 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Freleases%2Fspark-release-3-3-1.html&data=05%7C01%7CRodrigo.Pastrana%40lexisnexisrisk.com%7C507dc12538bf44d2646d08dab8276a76%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C638024776687375556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aJXVwPl36j83CFFM%2F1jKDhSIm7mCNwRozMpXCt8dvDQ%3D&reserved=0> >> ). >> >> Is there a way to estimate a timeline for the first release which >> includes that change (likely 3.3.2)? Much appreciation! >> >> >> ------------------------------ >> >> The information contained in this e-mail message is intended only for the >> personal and confidential use of the recipient(s) named above. This message >> may be an attorney-client communication and/or work product and as such is >> privileged and confidential. If the reader of this message is not the >> intended recipient or an agent responsible for delivering it to the >> intended recipient, you are hereby notified that you have received this >> document in error and that any review, dissemination, distribution, or >> copying of this message is strictly prohibited. If you have received this >> communication in error, please notify us immediately by e-mail, and delete >> the original message. >> >> >> ------------------------------ >> The information contained in this e-mail message is intended only for the >> personal and confidential use of the recipient(s) named above. This message >> may be an attorney-client communication and/or work product and as such is >> privileged and confidential. If the reader of this message is not the >> intended recipient or an agent responsible for delivering it to the >> intended recipient, you are hereby notified that you have received this >> document in error and that any review, dissemination, distribution, or >> copying of this message is strictly prohibited. If you have received this >> communication in error, please notify us immediately by e-mail, and delete >> the original message. >> >
