[
https://issues.apache.org/jira/browse/SPARK-40908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajesh updated SPARK-40908:
---------------------------
Description:
Hi Spark team,
[~dongjoon] [~bjornjorgensen]
We are using spark 3.0.0 on AWS EMR service to run our spark jobs.
spark-core_2.12:3.0.0 has transitive dependency on commons-text 1.6 and this
is flagged as critical severity CVE-2022-42889.
As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is
released.
We are dependent on AWS EMR service and changing EMR version and spark version
is big task for us considering all downstream dependent applications
We know spark 3.0.0 is EOL for you but would really appreciate if could provide
guidance on it.
We have few queries and need inputs from spark dev team to handle this issue on
priority at our end
* Does spark-core use StringSubstitutor and {*}do we need to worry about
this{*}?
* which lib or code within spark core 3.0.0 triggers StringSubstitutor method
?
* I searched for spark source code for usage of StringSubstitutor and found
one reference here
[https://github.com/apache/spark/blob/master/core/src/main/scala/org/apache/spark/ErrorClassesJSONReader.scala]
in master branch but this class is not available in spark 3.0.0 tags. As per
link - [https://blogs.apache.org/security/entry/cve-2022-42889] , If you rely
on software that uses a version of commons-text prior to 1.10.0, you are likely
still not vulnerable: you are only affected when this software uses the
{{StringSubstitutor}} API without properly sanitizing any untrusted input.
* *Please confirm if spark 3.0.0 does not use {{StringSubstitutor}} API from
commons-text but just have dependency marked in POM*
[https://github.com/apache/spark/blob/3fdfce3120f307147244e5eaf46d61419a723d50/pom.xml#L506]
?
* can we include the apache commons text 1.10.0 as explicit dependency on our
applications POMs and add common text 1.6 in exclusions for spark-core , will
it work ?
was:
Hi Spark team,
We are using spark 3.0.0 on AWS EMR service to run our spark jobs.
spark-core_2.12:3.0.0 has transitive dependency on commons-text 1.6 and this
is flagged as critical severity CVE-2022-42889.
As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is
released.
We are dependent on AWS EMR service and changing EMR version and spark version
is big task for us considering all downstream dependent applications
We know spark 3.0.0 is EOL for you but would really appreciate if could provide
guidance on it.
We have few queries and need inputs from spark dev team to handle this issue on
priority at our end
* Does spark-core use StringSubstitutor and {*}do we need to worry about
this{*}?
* which lib or code within spark core 3.0.0 triggers StringSubstitutor method
?
* I searched for spark source code for usage of StringSubstitutor and found
one reference here
[https://github.com/apache/spark/blob/master/core/src/main/scala/org/apache/spark/ErrorClassesJSONReader.scala]
in master branch but this class is not available in spark 3.0.0 tags. As per
link - [https://blogs.apache.org/security/entry/cve-2022-42889] , If you rely
on software that uses a version of commons-text prior to 1.10.0, you are likely
still not vulnerable: you are only affected when this software uses the
{{StringSubstitutor}} API without properly sanitizing any untrusted input.
* *Please confirm if spark 3.0.0 does not use {{StringSubstitutor}} API from
commons-text but just have dependency marked in POM*
[https://github.com/apache/spark/blob/3fdfce3120f307147244e5eaf46d61419a723d50/pom.xml#L506]
?
* can we include the apache commons text 1.10.0 as explicit dependency on our
applications POMs and add common text 1.6 in exclusions for spark-core , will
it work ?
> need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version
> ---------------------------------------------------------------------
>
> Key: SPARK-40908
> URL: https://issues.apache.org/jira/browse/SPARK-40908
> Project: Spark
> Issue Type: Question
> Components: Spark Core
> Affects Versions: 3.0.0
> Reporter: Rajesh
> Priority: Major
> Labels: SECURITY, security
>
> Hi Spark team,
>
> [~dongjoon] [~bjornjorgensen]
>
>
> We are using spark 3.0.0 on AWS EMR service to run our spark jobs.
> spark-core_2.12:3.0.0 has transitive dependency on commons-text 1.6 and this
> is flagged as critical severity CVE-2022-42889.
> As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is
> released.
> We are dependent on AWS EMR service and changing EMR version and spark
> version is big task for us considering all downstream dependent applications
> We know spark 3.0.0 is EOL for you but would really appreciate if could
> provide guidance on it.
> We have few queries and need inputs from spark dev team to handle this issue
> on priority at our end
>
>
> * Does spark-core use StringSubstitutor and {*}do we need to worry about
> this{*}?
> * which lib or code within spark core 3.0.0 triggers StringSubstitutor
> method ?
> * I searched for spark source code for usage of StringSubstitutor and found
> one reference here
> [https://github.com/apache/spark/blob/master/core/src/main/scala/org/apache/spark/ErrorClassesJSONReader.scala]
> in master branch but this class is not available in spark 3.0.0 tags. As
> per link - [https://blogs.apache.org/security/entry/cve-2022-42889] , If you
> rely on software that uses a version of commons-text prior to 1.10.0, you are
> likely still not vulnerable: you are only affected when this software uses
> the {{StringSubstitutor}} API without properly sanitizing any untrusted input.
> * *Please confirm if spark 3.0.0 does not use {{StringSubstitutor}} API
> from commons-text but just have dependency marked in POM*
> [https://github.com/apache/spark/blob/3fdfce3120f307147244e5eaf46d61419a723d50/pom.xml#L506]
> ?
> * can we include the apache commons text 1.10.0 as explicit dependency on
> our applications POMs and add common text 1.6 in exclusions for spark-core ,
> will it work ?
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
