[
https://issues.apache.org/jira/browse/SPARK-34511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
eoin updated SPARK-34511:
-------------------------
Description:
The following libraries have the following vulnerabilities that will fail Nexus
security scans. They are deemed as threats of level 7 and higher on the
Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies
as the are fixed in subsequent releases.
[Update]com.fasterxml.woodstox : woodstox-core : 5.0.3 *
[https://github.com/FasterXML/woodstox/issues/50]
* [https://github.com/FasterXML/woodstox/issues/51]
* [https://github.com/FasterXML/woodstox/issues/61]
com.nimbusds : nimbus-jose-jwt : 4.41.1 *
[https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt]
* [https://connect2id.com/blog/nimbus-jose-jwt-7-9]
Log4j : log4j : 1.2.17
SocketServer class that is vulnerable to deserialization of untrusted data: *
https://issues.apache.org/jira/browse/LOG4J2-1863
*
[https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1785616]
Dynamic-link Library (DLL) Preloading:
* [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323]
apache-xerces : xercesImpl : 2.9.1 * hash table collisions ->
https://issues.apache.org/jira/browse/XERCESJ-1685
*
[https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3cof3b40f5f7.e6552a8b-on85257d73.00699ed7-85257d73.006a9...@ca.ibm.com%3E]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]
com.fasterxml.jackson.core : jackson-databind : 2.10.0 *
[https://github.com/FasterXML/jackson-databind/issues/2589]
commons-beanutils : commons-beanutils : 1.9.3 *
[http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader]
* https://issues.apache.org/jira/browse/BEANUTILS-463
commons-io : commons-io : 2.5 * [https://github.com/apache/commons-io/pull/52]
* https://issues.apache.org/jira/browse/IO-556
* https://issues.apache.org/jira/browse/IO-559
io.netty : netty-all : 4.1.47.Final *
[https://github.com/netty/netty/issues/10351]
* [https://github.com/netty/netty/pull/10560]
org.apache.commons : commons-compress : 1.18 *
[https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities]
org.apache.hadoop : hadoop-hdfs : 2.7.4 *
[https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]
*
[https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]
* [https://hadoop.apache.org/cve_list.html]
* [https://www.openwall.com/lists/oss-security/2019/01/24/3]
org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 *
[https://bugzilla.redhat.com/show_bug.cgi?id=1516399]
*
[https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]
org.codehaus.jackson : jackson-mapper-asl : 1.9.13 *
[https://github.com/FasterXML/jackson-databind/issues/1599]
* [https://blog.sonatype.com/jackson-databind-remote-code-execution]
* [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist]
* [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
* [https://access.redhat.com/security/cve/cve-2019-10172]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1715075]
* [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]
org.eclipse.jetty : jetty-http : 9.3.24.v20180605: *
[https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096]
org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 *
[https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921]
* [https://github.com/eclipse/jetty.project/issues/5451]
*
[https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6]
was:
The following libraries have the following vulnerabilities that will fail Nexus
security scans. They are deemed as threats of level 7 and higher on the
Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies
as the are fixed in subsequent releases.
com.fasterxml.woodstox : woodstox-core : 5.0.3 *
[https://github.com/FasterXML/woodstox/issues/50]
* [https://github.com/FasterXML/woodstox/issues/51]
* [https://github.com/FasterXML/woodstox/issues/61]
com.nimbusds : nimbus-jose-jwt : 4.41.1 *
[https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt]
* [https://connect2id.com/blog/nimbus-jose-jwt-7-9]
Log4j : log4j : 1.2.17
SocketServer class that is vulnerable to deserialization of untrusted data: *
https://issues.apache.org/jira/browse/LOG4J2-1863
*
[https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1785616]
Dynamic-link Library (DLL) Preloading:
* [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323]
apache-xerces : xercesImpl : 2.9.1 * hash table collisions ->
https://issues.apache.org/jira/browse/XERCESJ-1685
*
[https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3cof3b40f5f7.e6552a8b-on85257d73.00699ed7-85257d73.006a9...@ca.ibm.com%3E]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]
com.fasterxml.jackson.core : jackson-databind : 2.10.0 *
[https://github.com/FasterXML/jackson-databind/issues/2589]
commons-beanutils : commons-beanutils : 1.9.3 *
[http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader]
* https://issues.apache.org/jira/browse/BEANUTILS-463
commons-io : commons-io : 2.5 * [https://github.com/apache/commons-io/pull/52]
* https://issues.apache.org/jira/browse/IO-556
* https://issues.apache.org/jira/browse/IO-559
io.netty : netty-all : 4.1.47.Final *
[https://github.com/netty/netty/issues/10351]
* [https://github.com/netty/netty/pull/10560]
org.apache.commons : commons-compress : 1.18 *
[https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities]
org.apache.hadoop : hadoop-hdfs : 2.7.4 *
[https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]
*
[https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]
* [https://hadoop.apache.org/cve_list.html]
* [https://www.openwall.com/lists/oss-security/2019/01/24/3]
org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 *
[https://bugzilla.redhat.com/show_bug.cgi?id=1516399]
*
[https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]
org.codehaus.jackson : jackson-mapper-asl : 1.9.13 *
[https://github.com/FasterXML/jackson-databind/issues/1599]
* [https://blog.sonatype.com/jackson-databind-remote-code-execution]
* [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist]
* [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
* [https://access.redhat.com/security/cve/cve-2019-10172]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1715075]
* [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]
org.eclipse.jetty : jetty-http : 9.3.24.v20180605: *
[https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096]
org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 *
[https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921]
* [https://github.com/eclipse/jetty.project/issues/5451]
*
[https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6]
> Current Security vulnerabilities in spark libraries
> ---------------------------------------------------
>
> Key: SPARK-34511
> URL: https://issues.apache.org/jira/browse/SPARK-34511
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Build
> Affects Versions: 3.0.1
> Reporter: eoin
> Priority: Major
> Labels: security
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> The following libraries have the following vulnerabilities that will fail
> Nexus security scans. They are deemed as threats of level 7 and higher on the
> Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies
> as the are fixed in subsequent releases.
>
> [Update]com.fasterxml.woodstox : woodstox-core : 5.0.3 *
> [https://github.com/FasterXML/woodstox/issues/50]
> * [https://github.com/FasterXML/woodstox/issues/51]
> * [https://github.com/FasterXML/woodstox/issues/61]
> com.nimbusds : nimbus-jose-jwt : 4.41.1 *
> [https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt]
> * [https://connect2id.com/blog/nimbus-jose-jwt-7-9]
> Log4j : log4j : 1.2.17
> SocketServer class that is vulnerable to deserialization of untrusted data:
> * https://issues.apache.org/jira/browse/LOG4J2-1863
> *
> [https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E]
> * [https://bugzilla.redhat.com/show_bug.cgi?id=1785616]
> Dynamic-link Library (DLL) Preloading:
> * [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323]
>
> apache-xerces : xercesImpl : 2.9.1 * hash table collisions ->
> https://issues.apache.org/jira/browse/XERCESJ-1685
> *
> [https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3cof3b40f5f7.e6552a8b-on85257d73.00699ed7-85257d73.006a9...@ca.ibm.com%3E]
> * [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]
>
> com.fasterxml.jackson.core : jackson-databind : 2.10.0 *
> [https://github.com/FasterXML/jackson-databind/issues/2589]
>
> commons-beanutils : commons-beanutils : 1.9.3 *
> [http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader]
> * https://issues.apache.org/jira/browse/BEANUTILS-463
>
> commons-io : commons-io : 2.5 *
> [https://github.com/apache/commons-io/pull/52]
> * https://issues.apache.org/jira/browse/IO-556
> * https://issues.apache.org/jira/browse/IO-559
>
> io.netty : netty-all : 4.1.47.Final *
> [https://github.com/netty/netty/issues/10351]
> * [https://github.com/netty/netty/pull/10560]
>
> org.apache.commons : commons-compress : 1.18 *
> [https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities]
>
> org.apache.hadoop : hadoop-hdfs : 2.7.4 *
> [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]
> *
> [https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]
> * [https://hadoop.apache.org/cve_list.html]
> * [https://www.openwall.com/lists/oss-security/2019/01/24/3]
>
> org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 *
> [https://bugzilla.redhat.com/show_bug.cgi?id=1516399]
> *
> [https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]
>
> org.codehaus.jackson : jackson-mapper-asl : 1.9.13 *
> [https://github.com/FasterXML/jackson-databind/issues/1599]
> * [https://blog.sonatype.com/jackson-databind-remote-code-execution]
> * [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist]
> * [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
> * [https://access.redhat.com/security/cve/cve-2019-10172]
> * [https://bugzilla.redhat.com/show_bug.cgi?id=1715075]
> * [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]
>
> org.eclipse.jetty : jetty-http : 9.3.24.v20180605: *
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096]
>
> org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 *
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921]
> * [https://github.com/eclipse/jetty.project/issues/5451]
> *
> [https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
