Madhusudan N created SPARK-25455:
------------------------------------
Summary: Spark bundles jackson library version, which is
vulnerable
Key: SPARK-25455
URL: https://issues.apache.org/jira/browse/SPARK-25455
Project: Spark
Issue Type: Bug
Components: Spark Core
Affects Versions: 2.3.1, 2.2.0
Reporter: Madhusudan N
We have hosted one of our application in SPARK standalone mode and the
application has the below jackson library dependencies.
Version = 2.9.6
* jackson-core
* jackson-databind
* jackson-dataformat-cbor
* jackson-dataformat-xml
* jackson-dataformat-yaml
Due to a vulnerability with jackson 2.6.6 as indicated by the Veracode, it has
been upgraded to 2.9.6 version.
Please find the link which depicts the vulnerability issue with jackson 2.6.6.
[http://cwe.mitre.org/data/definitions/470.html]
Spark version (2.2.0 and 2.3.1) has dependency with jackson-core 2.6.5 and
jackson-core-2.6.7, but our application needs jackson-core 2.9.6. Because of
this, application crashes. Please find the stacktrace below ::
{{_Exception in thread "main" [Loaded java.lang.Throwable$WrappedPrintStream
from
/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar]_}}{{_java.lang.NoSuchFieldError:
NO_INTS_}}{{ __ }}
{{_at
com.fasterxml.jackson.dataformat.cbor.CBORParser.<init>(CBORParser.java:285)_}}{{
__ }}
{{_at
com.fasterxml.jackson.dataformat.cbor.CBORParserBootstrapper.constructParser(CBORParserBootstrapper.java:91)_}}{{
__ }}
{{_at
com.fasterxml.jackson.dataformat.cbor.CBORFactory._createParser(CBORFactory.java:377)_}}
Spark needs to use jackson-core-2.9.6 version., which does not have the
vulnerability
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
