Michael Burgener created SPARK-30466:
----------------------------------------
Summary: remove dependency on jackson-mapper-asl-1.9.13 and
jackson-core-asl-1.9.13
Key: SPARK-30466
URL: https://issues.apache.org/jira/browse/SPARK-30466
Project: Spark
Issue Type: Bug
Components: Build
Affects Versions: 2.4.4, 3.0.0
Reporter: Michael Burgener
These 2 libraries are deprecated and replaced by the jackson-databind libraries
which are already included. These two libraries are flagged by our
vulnerability scanners as having the following security vulnerabilities. I've
set the priority to Major due to the Critical nature and hopefully they can be
addressed quickly. Please note, I'm not a developer but work in InfoSec and
this was flagged when we incorporated spark into our product. If you feel the
priority is not set correctly please change accordingly. I'll watch the issue
and flag our dev team to update once resolved.
jackson-mapper-asl-1.9.13
CVE-2018-7489 (CVSS 3.0 Score 9.8 CRITICAL)
[https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
CVE-2017-7525 (CVSS 3.0 Score 9.8 CRITICAL)
[https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
CVE-2017-17485 (CVSS 3.0 Score 9.8 CRITICAL)
[https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
CVE-2017-15095 (CVSS 3.0 Score 9.8 CRITICAL)
[https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
CVE-2018-5968 (CVSS 3.0 Score 8.1 High)
[https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
jackson-core-asl-1.9.13
CVE-2016-7051 (CVSS 3.0 Score 8.6 High)
https://nvd.nist.gov/vuln/detail/CVE-2016-7051
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
