If you use vulnerable code in your application, sure, you might be exposed to its vulnerability. That's a problem for the application rather than Spark.
Here I am asking if you know of a reason this CVE affects Spark usage, because you're asking about mitigating it. I'm first establishing whether there is something to mitigate. On Mon, Jan 27, 2025 at 11:26 PM Balaji Sudharsanam V < balaji.sudharsa...@ibm.com> wrote: > Hi Mich, > > True the vulnerable jar (hive-metastore-2.3.9.jar) is not directly related > to Spark. > And completely agree, “Spark does not run a Hive metastore itself nor use > Hive for executing queries.” > > Like Nicholas said, > > When looking at vulnerabilities, many security teams, including ours, have > begun to look at them as *Vulnerable or Affected*. *Vulnerable* being, > directly impacted by the vulnerability and exploitable; while *Affected* > is indicating if a vulnerable dependency/package/jar is being delivered > with a product. > > With that said, if a user accidentally uses one of these dependents in > their Spark application; with Java CLASSPATH, set the $SPARK_HOME/jars as > precedent and in turn expose the unknowing end user to a vulnerability that > way? > > I am also new to this mailing list and discussions. > > Not sure on this “Can you connect the CVE to Spark?” Pls help with this ! > > > > Thanks, > > Balaji > > >
