[jira] [Updated] (SPARK-38252) Upgrade Dependencies in spark-sql Java library

Fri, 18 Feb 2022 10:08:04 -0800 


     [ 
https://issues.apache.org/jira/browse/SPARK-38252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dhaval Shewale updated SPARK-38252:
-----------------------------------
    Description: 
There are numerous vulnerabilities in *spark-sql* Java library.

Can we pls upgrade the transitive dependencies to mitigate these 
vulnerabilities.

 

+*Dependency*+
{quote}{{<dependency>}}
{{  <groupId>org.apache.spark</groupId>}}
{{  <artifactId>spark-sql_2.13</artifactId>}}
{{  <version>3.2.1</version>}}
{{</dependency>}}
{quote}
 

+*Vulnerabilities*+
{quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
{{---------------------------------------------------------------}}
{{| SEVERITY  |  LIBRARY                      |  ID             |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35515 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35516 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35517 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-36090 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  gson-2.8.6.jar               |  WS-2021-0419   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2019-17571 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2020-9493  |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2021-4104  |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23302 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23305 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23307 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  netty-all-4.1.68.Final.jar   |  WS-2020-0408   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  jackson-core-2.12.3.jar      |  WS-2021-0616   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  jackson-databind-2.12.3.jar  |  WS-2021-0616   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  netty-all-4.1.68.Final.jar   |  CVE-2021-43797 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  protobuf-java-2.5.0.jar      |  CVE-2021-22569 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| LOW       |  log4j-1.2.17.jar             |  CVE-2020-9488  |}}
{{---------------------------------------------------------------}}
{quote}
 

  was:
There are numerous vulnerabilities in *spark-sql* Java API.

Can we pls upgrade the transitive dependencies to mitigate these 
vulnerabilities.

 

+*Dependency*+
{quote}{{<dependency>}}
{{  <groupId>org.apache.spark</groupId>}}
{{  <artifactId>spark-sql_2.13</artifactId>}}
{{  <version>3.2.1</version>}}
{{</dependency>}}
{quote}
 

+*Vulnerabilities*+
{quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
{{---------------------------------------------------------------}}
{{| SEVERITY  |  LIBRARY                      |  ID             |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35515 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35516 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35517 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-36090 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  gson-2.8.6.jar               |  WS-2021-0419   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2019-17571 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2020-9493  |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2021-4104  |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23302 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23305 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23307 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| HIGH      |  netty-all-4.1.68.Final.jar   |  WS-2020-0408   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  jackson-core-2.12.3.jar      |  WS-2021-0616   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  jackson-databind-2.12.3.jar  |  WS-2021-0616   |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  netty-all-4.1.68.Final.jar   |  CVE-2021-43797 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| MEDIUM    |  protobuf-java-2.5.0.jar      |  CVE-2021-22569 |}}
{{|---------- | ----------------------------- | ----------------|}}
{{| LOW       |  log4j-1.2.17.jar             |  CVE-2020-9488  |}}
{{---------------------------------------------------------------}}{quote}
 


> Upgrade Dependencies in spark-sql Java library
> ----------------------------------------------
>
>                 Key: SPARK-38252
>                 URL: https://issues.apache.org/jira/browse/SPARK-38252
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Java API
>    Affects Versions: 3.2.1
>            Reporter: Dhaval Shewale
>            Priority: Major
>
> There are numerous vulnerabilities in *spark-sql* Java library.
> Can we pls upgrade the transitive dependencies to mitigate these 
> vulnerabilities.
>  
> +*Dependency*+
> {quote}{{<dependency>}}
> {{  <groupId>org.apache.spark</groupId>}}
> {{  <artifactId>spark-sql_2.13</artifactId>}}
> {{  <version>3.2.1</version>}}
> {{</dependency>}}
> {quote}
>  
> +*Vulnerabilities*+
> {quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
> {{---------------------------------------------------------------}}
> {{| SEVERITY  |  LIBRARY                      |  ID             |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35515 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35516 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35517 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  commons-compress-1.20.jar    |  CVE-2021-36090 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  gson-2.8.6.jar               |  WS-2021-0419   |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2019-17571 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2020-9493  |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2021-4104  |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23302 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23305 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23307 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  netty-all-4.1.68.Final.jar   |  WS-2020-0408   |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM    |  jackson-core-2.12.3.jar      |  WS-2021-0616   |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM    |  jackson-databind-2.12.3.jar  |  WS-2021-0616   |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM    |  netty-all-4.1.68.Final.jar   |  CVE-2021-43797 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM    |  protobuf-java-2.5.0.jar      |  CVE-2021-22569 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| LOW       |  log4j-1.2.17.jar             |  CVE-2020-9488  |}}
> {{---------------------------------------------------------------}}
> {quote}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to