[jira] [Created] (SPARK-32336) 11 Critical & 4 High severity issues in Apcahe Spark 3.0.0 - dependency libraries

Thu, 16 Jul 2020 15:09:15 -0700 

Albert Baker created SPARK-32336:
------------------------------------

             Summary: 11 Critical & 4 High severity issues in Apcahe Spark 
3.0.0 - dependency libraries
                 Key: SPARK-32336
                 URL: https://issues.apache.org/jira/browse/SPARK-32336
             Project: Spark
          Issue Type: Bug
          Components: Build, Security
    Affects Versions: 3.0.0
         Environment: Generic Linux  - but these dependencies are in the 
libraries that spark pulls in.

Given that several of these are sveral yrs old, and highly severe (remote code 
execution is possible) these libraries are ripe for exploitation and it is 
highlt likly that exploits curretnly exist for these issues.

 

Please upgrade the dependant libraries and run OWASP dependency check prior to 
all future releases/
            Reporter: Albert Baker


||*[CVE-2018-1337|https://nvd.nist.gov/vuln/detail/CVE-2018-1337]*|In Apache 
Directory LDAP API before 1.0.2,   - upgrade dependency to 1.0.2|

||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all 
versions of Apache Spark,|

||*[CVE-2017-15718|https://nvd.nist.gov/vuln/detail/CVE-2017-15718]*|The YARN 
NodeManager in Apache Hadoop 2.7.3 and 2.7.4 - upgrade lib|

||*[CVE-2018-21234|https://nvd.nist.gov/vuln/detail/CVE-2018-21234]*|Jodd 
before 5.0.4 performs Deserialization of Untrusted JSON Data when 
setClassMetadataName is set.|

||*[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571]*|Included 
in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of 
untrusted data which can be exploited to remotely execute arbitrary code when 
combined with a deserialization gadget when listening to untrusted network 
traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.|

||*[CVE-2018-17190|https://nvd.nist.gov/vuln/detail/CVE-2018-17190]*|In all 
versions of Apache Spark, its standalone resource manager accepts code to 
execute on a 'master' host, that then runs that code on 'worker|

||*[CVE-2020-9480|https://nvd.nist.gov/vuln/detail/CVE-2020-9480]*|In Apache 
Spark 2.4.5 and earlier, a standalone resource manager's master may be 
configured to require authentication (spark.authenticate) via a shared secret.|



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to