[
https://issues.apache.org/jira/browse/SPARK-38252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494885#comment-17494885
]
Hyukjin Kwon commented on SPARK-38252:
--------------------------------------
commons is already upgraded too. we don't use gson directly. I will mark this
JIRA as invalid for now.
> Upgrade Dependencies in spark-sql Java library
> ----------------------------------------------
>
> Key: SPARK-38252
> URL: https://issues.apache.org/jira/browse/SPARK-38252
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Java API
> Affects Versions: 3.2.1
> Reporter: Dhaval Shewale
> Priority: Critical
>
> There are numerous vulnerabilities in *spark-sql* Java library.
> Can we pls upgrade the transitive dependencies to mitigate these
> vulnerabilities.
>
> +*Maven Dependency*+
> {quote}{{<dependency>}}
> {{ <groupId>org.apache.spark</groupId>}}
> {{ <artifactId>spark-sql_2.13</artifactId>}}
> {{ <version>3.2.1</version>}}
> {{</dependency>}}
> {quote}
>
> +*Vulnerabilities*+
> {quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
> {{---------------------------------------------------------------}}
> {{| SEVERITY | LIBRARY | ID |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35515 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35516 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-35517 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | commons-compress-1.20.jar | CVE-2021-36090 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | gson-2.8.6.jar | WS-2021-0419 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH | netty-all-4.1.68.Final.jar | WS-2020-0408 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | jackson-core-2.12.3.jar | WS-2021-0616 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | jackson-databind-2.12.3.jar | WS-2021-0616 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | netty-all-4.1.68.Final.jar | CVE-2021-43797 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| MEDIUM | protobuf-java-2.5.0.jar | CVE-2021-22569 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| LOW | log4j-1.2.17.jar | CVE-2020-9488 |}}
> {{---------------------------------------------------------------}}
> {quote}
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
