[
https://issues.apache.org/jira/browse/SPARK-36134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17380695#comment-17380695
]
Erik Krogen commented on SPARK-36134:
-------------------------------------
Jackson is already 2.12.3 (from
[pom.xml|https://github.com/apache/spark/blob/fd06cc211d7d1579067ad717da9976aabd71b70d/pom.xml#L170]):
{code}
<fasterxml.jackson.version>2.12.3</fasterxml.jackson.version>
{code}
So what's the issue?
> jackson-databind RCE vulnerability [Need to upgrade to 2.9.3.1]
> ---------------------------------------------------------------
>
> Key: SPARK-36134
> URL: https://issues.apache.org/jira/browse/SPARK-36134
> Project: Spark
> Issue Type: Task
> Components: Java API
> Affects Versions: 3.1.2, 3.1.3
> Reporter: Sumit
> Priority: Major
>
> Need to upgrade jackson-databind version to *2.9.3.1*
> At the beginning of 2018, jackson-databind was reported to contain another
> remote code execution (RCE) vulnerability (CVE-2017-17485) that affects
> versions 2.9.3 and earlier, 2.7.9.1 and earlier, and 2.8.10 and earlier. This
> vulnerability is caused by jackson-dababind’s incomplete blacklist. An
> application that uses jackson-databind will become vulnerable when the
> enableDefaultTyping method is called via the ObjectMapper object within the
> application. An attacker can thus compromise the application by sending
> maliciously crafted JSON input to gain direct control over a server.
> Currently, a proof of concept (POC) exploit for this vulnerability has been
> publicly available. All users who are affected by this vulnerability should
> upgrade to the latest versions as soon as possible to fix this issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
