[
https://issues.apache.org/jira/browse/SPARK-34511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17339422#comment-17339422
] Hari Prasad G commented on SPARK-34511: --------------------------------------- json-smart 2.3 has the following CVE * CVE-2021-27568 (BDSA-2021-0939) The recommended version for json-smart would be 2.4.2 > Current Security vulnerabilities in spark libraries > --------------------------------------------------- > > Key: SPARK-34511 > URL: https://issues.apache.org/jira/browse/SPARK-34511 > Project: Spark > Issue Type: Dependency upgrade > Components: Build > Affects Versions: 3.1.1 > Reporter: eoin > Priority: Major > Labels: security > Original Estimate: 168h > Remaining Estimate: 168h > > The following libraries have the following vulnerabilities that will fail > Nexus security scans. They are deemed as threats of level 7 and higher on the > Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies > as the are fixed in subsequent releases. > > [Update - still present]com.fasterxml.woodstox : woodstox-core : 5.0.3 * > [https://github.com/FasterXML/woodstox/issues/50] > * [https://github.com/FasterXML/woodstox/issues/51] > * [https://github.com/FasterXML/woodstox/issues/61] > [Update - still present]com.nimbusds : nimbus-jose-jwt : 4.41.1 * > [https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt] > * [https://connect2id.com/blog/nimbus-jose-jwt-7-9] > [Update - still present]Log4j : log4j : 1.2.17 > SocketServer class that is vulnerable to deserialization of untrusted data: > * https://issues.apache.org/jira/browse/LOG4J2-1863 > * > [https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E] > * [https://bugzilla.redhat.com/show_bug.cgi?id=1785616] > Dynamic-link Library (DLL) Preloading: > * [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323] > > [Fixed]-apache-xerces : xercesImpl : 2.9.1 * hash table collisions -> > https://issues.apache.org/jira/browse/XERCESJ-1685- > * > -[https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3cof3b40f5f7.e6552a8b-on85257d73.00699ed7-85257d73.006a9...@ca.ibm.com%3E]- > * [-https://bugzilla.redhat.com/show_bug.cgi?id=1019176-] > > [Update - still present]com.fasterxml.jackson.core : jackson-databind : > 2.10.0 * [https://github.com/FasterXML/jackson-databind/issues/2589] > > [Update - still present ]commons-beanutils : commons-beanutils : 1.9.3 * > [http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader] > * https://issues.apache.org/jira/browse/BEANUTILS-463 > > [Update - still present ]commons-io : commons-io : 2.5 * > [https://github.com/apache/commons-io/pull/52] > * https://issues.apache.org/jira/browse/IO-556 > * https://issues.apache.org/jira/browse/IO-559 > > [Upgraded to 4.1.51.Final still with vulnerabilities, see new below]-io.netty > : netty-all : 4.1.47.Final * [https://github.com/netty/netty/issues/10351]- > * [-https://github.com/netty/netty/pull/10560-] > > [Update - still present]org.apache.commons : commons-compress : 1.18 * > [https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities] > > [Update - changed to > org.apache.hadoop : hadoop-hdfs-client : 3.2.0 see new below > ]-org.apache.hadoop : hadoop-hdfs : 2.7.4 * > [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]- > * > -[https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]- > * -[https://hadoop.apache.org/cve_list.html]- > * -[https://www.openwall.com/lists/oss-security/2019/01/24/3]- > -- > -org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 * > [https://bugzilla.redhat.com/show_bug.cgi?id=1516399]- > * > -[https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]- > > [Update - still present]org.codehaus.jackson : jackson-mapper-asl : 1.9.13 * > [https://github.com/FasterXML/jackson-databind/issues/1599] > * [https://blog.sonatype.com/jackson-databind-remote-code-execution] > * [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist] > * [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525] > * [https://access.redhat.com/security/cve/cve-2019-10172] > * [https://bugzilla.redhat.com/show_bug.cgi?id=1715075] > * [https://nvd.nist.gov/vuln/detail/CVE-2019-10172] > > [Update - still present]org.eclipse.jetty : jetty-http : 9.3.24.v20180605: * > [https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096] > > [Update -still present]org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 * > [https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921] > * [https://github.com/eclipse/jetty.project/issues/5451] > * > [https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6 > ] > New: > datatables 1.10.7 > * > [https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765] > jquery 3.3.1 > * [https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/] > * [https://github.com/cbeust/testng/issues/2150] > > net.minidev : json-smart : 2.3 * > [https://github.com/netplex/json-smart-v1/issues/7] > * [https://github.com/netplex/json-smart-v2/issues/60] > > org.apache.hadoop : hadoop-yarn-common : 3.2.0 * > [https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/] > * [https://github.com/cbeust/testng/issues/2150] > * > [https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765] > > com.squareup.okhttp : okhttp : 2.7.5 * > [https://source.android.com/security/bulletin/2021-02-01#android-runtime] > > io.netty : netty-all : 4.1.51.Final * > [https://github.com/netty/netty/issues/10351] > * [https://github.com/netty/netty/pull/10560] > > org.apache.hadoop : hadoop-hdfs-client : 3.2.0 > * > [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
