[ https://issues.apache.org/jira/browse/SPARK-30466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17143569#comment-17143569 ]
Prashant Sharma commented on SPARK-30466: ----------------------------------------- I just saw, Hadoop 3.2.1 still uses these jars(jackson-mapper-asl-1.9.13 and jackson-core-asl-1.9.13), they are a transitive dependency on jersey-json. See below. {code:java} [INFO] org.apache.hadoop:hadoop-common:jar:3.2.1 [INFO] +- org.apache.hadoop:hadoop-annotations:jar:3.2.1:compile [INFO] | \- jdk.tools:jdk.tools:jar:1.8:system [INFO] +- com.google.guava:guava:jar:27.0-jre:compile [INFO] | +- com.google.guava:failureaccess:jar:1.0:compile [INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | +- org.checkerframework:checker-qual:jar:2.5.2:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.2.0:compile [INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile [INFO] +- commons-cli:commons-cli:jar:1.2:compile [INFO] +- org.apache.commons:commons-math3:jar:3.1.1:compile [INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.6:compile [INFO] | \- org.apache.httpcomponents:httpcore:jar:4.4.10:compile [INFO] +- commons-codec:commons-codec:jar:1.11:compile [INFO] +- commons-io:commons-io:jar:2.5:compile [INFO] +- commons-net:commons-net:jar:3.6:compile [INFO] +- commons-collections:commons-collections:jar:3.2.2:compile [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:compile [INFO] +- org.eclipse.jetty:jetty-server:jar:9.3.24.v20180605:compile [INFO] | +- org.eclipse.jetty:jetty-http:jar:9.3.24.v20180605:compile [INFO] | \- org.eclipse.jetty:jetty-io:jar:9.3.24.v20180605:compile [INFO] +- org.eclipse.jetty:jetty-util:jar:9.3.24.v20180605:compile [INFO] +- org.eclipse.jetty:jetty-servlet:jar:9.3.24.v20180605:compile [INFO] | \- org.eclipse.jetty:jetty-security:jar:9.3.24.v20180605:compile [INFO] +- org.eclipse.jetty:jetty-webapp:jar:9.3.24.v20180605:compile [INFO] | \- org.eclipse.jetty:jetty-xml:jar:9.3.24.v20180605:compile [INFO] +- org.eclipse.jetty:jetty-util-ajax:jar:9.3.24.v20180605:test [INFO] +- javax.servlet.jsp:jsp-api:jar:2.1:runtime [INFO] +- com.sun.jersey:jersey-core:jar:1.19:compile [INFO] | \- javax.ws.rs:jsr311-api:jar:1.1.1:compile [INFO] +- com.sun.jersey:jersey-servlet:jar:1.19:compile [INFO] +- com.sun.jersey:jersey-json:jar:1.19:compile [INFO] | +- org.codehaus.jettison:jettison:jar:1.1:compile [INFO] | +- com.sun.xml.bind:jaxb-impl:jar:2.2.3-1:compile [INFO] | | \- javax.xml.bind:jaxb-api:jar:2.2.11:compile [INFO] | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile [INFO] | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile [INFO] +- com.sun.jersey:jersey-server:jar:1.19:compile {code} > remove dependency on jackson-mapper-asl-1.9.13 and jackson-core-asl-1.9.13 > -------------------------------------------------------------------------- > > Key: SPARK-30466 > URL: https://issues.apache.org/jira/browse/SPARK-30466 > Project: Spark > Issue Type: Bug > Components: Build > Affects Versions: 2.4.4, 3.0.0 > Reporter: Michael Burgener > Priority: Major > Labels: security > > These 2 libraries are deprecated and replaced by the jackson-databind > libraries which are already included. These two libraries are flagged by our > vulnerability scanners as having the following security vulnerabilities. > I've set the priority to Major due to the Critical nature and hopefully they > can be addressed quickly. Please note, I'm not a developer but work in > InfoSec and this was flagged when we incorporated spark into our product. If > you feel the priority is not set correctly please change accordingly. I'll > watch the issue and flag our dev team to update once resolved. > jackson-mapper-asl-1.9.13 > CVE-2018-7489 (CVSS 3.0 Score 9.8 CRITICAL) > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > > CVE-2017-7525 (CVSS 3.0 Score 9.8 CRITICAL) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > > CVE-2017-17485 (CVSS 3.0 Score 9.8 CRITICAL) > [https://nvd.nist.gov/vuln/detail/CVE-2017-17485] > > CVE-2017-15095 (CVSS 3.0 Score 9.8 CRITICAL) > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > > CVE-2018-5968 (CVSS 3.0 Score 8.1 High) > [https://nvd.nist.gov/vuln/detail/CVE-2018-5968] > > jackson-core-asl-1.9.13 > CVE-2016-7051 (CVSS 3.0 Score 8.6 High) > https://nvd.nist.gov/vuln/detail/CVE-2016-7051 -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org