[ https://issues.apache.org/jira/browse/SPARK-44757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anand Balasubramaniam updated SPARK-44757: ------------------------------------------ Priority: Major (was: Minor) > Vulnerabilities in Spark3.4 > --------------------------- > > Key: SPARK-44757 > URL: https://issues.apache.org/jira/browse/SPARK-44757 > Project: Spark > Issue Type: Bug > Components: Spark Core > Affects Versions: 3.4.0 > Reporter: Anand Balasubramaniam > Priority: Major > > We are seeing below list of TPLS's with vulnerabilities bundled with Spark3.4 > package with StackRox scan , is there any ETA on fixing them ? Kindly apprise > us on the same . > h2. Vulnerabilities in Spark3.4 > |*CVE*|*Description*|*Severity*| > |CVE-2018-21234|Jodd before 5.0.4 performs Deserialization of Untrusted JSON > Data when setClassMetadataName is set.|CVSS Score:9.8Critical| > |CVE-2022-42004|In FasterXML jackson-databind before 2.13.4, resource > exhaustion can occur because of a lack of a check in > BeanDeserializer._deserializeFromArray to prevent use of deeply nested > arrays. An application is vulnerable only with certain customized choices for > deserialization.|CVSS Score 7.5Important| > | CVE-2022-42003|In FasterXML jackson-databind before 2.14.0-rc1, resource > exhaustion can occur because of a lack of a check in primitive value > deserializers to avoid deep wrapper array nesting, when the > UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in > 2.13.4.1 and 2.12.17.1|CVSS Score 7.5Important| > |CVE-2022-40152|Those using Woodstox to parse XML data may be vulnerable to > Denial of Service attacks (DOS) if DTD support is enabled. If the parser is > running on user supplied input, an attacker may supply content that causes > the parser to crash by stackoverflow. This effect may support a denial of > service attack.|CVSS Score 7.5Important| > |CVE-2022-3171|A parsing issue with binary data in protobuf-java core and > lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial > of service attack. Inputs containing multiple instances of non-repeated > embedded messages with repeated or unknown fields causes objects to be > converted back-n-forth between mutable and immutable forms, resulting in > potentially long garbage collection pauses. We recommend updating to the > versions mentioned above.|CVSS Score 7.5Important| > |CVE-2021-34538|Apache Hive before 3.1.3 "CREATE" and "DROP" function > operations does not check for necessary authorization of involved entities in > the query. It was found that an unauthorized user can manipulate an existing > UDF without having the privileges to do so. This allowed unauthorized or > underprivileged users to drop and recreate UDFs pointing them to new jars > that could be potentially malicious.|CVSS Score 7.5Important| > |CVE-2020-13949|In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could > send short messages which would result in a large memory allocation, > potentially leading to denial of service.|CVSS Score 7.5Important| > |CVE-2018-10237|Unbounded memory allocation in Google Guava 11.0 through 24.x > before 24.1.1 allows remote attackers to conduct denial of service attacks > against servers that depend on this library and deserialize attacker-provided > data, because the AtomicDoubleArray class (when serialized with Java > serialization) and the CompoundOrdering class (when serialized with GWT > serialization) perform eager allocation without appropriate checks on what a > client has sent and whether the data size is reasonable.|CVSS 5.9Moderate| > |CVE-2021-22569|An issue in protobuf-java allowed the interleaving of > com.google.protobuf.UnknownFieldSet fields in such a way that would be > processed out of order. A small malicious payload can occupy the parser for > several minutes by creating large numbers of short-lived objects that cause > frequent, repeated pauses. We recommend upgrading libraries beyond the > vulnerable versions.|CVSS 5.9Moderate| > |CVE-2020-8908|A temp directory creation vulnerability exists in all versions > of Guava, allowing an attacker with access to the machine to potentially > access data in a temporary directory created by the Guava API > [com.google.common.io|https://urldefense.com/v3/__http:/com.google.common.io/__;!!KpaPruflFCEp!hUy3fNZoxf_mnbeTP7GUWkbaKtRLDswR2fRnQ9Gm_AoaeVUncE_plq53EqTWyd1ZfAI7tIFOgmmEBPoGRw$].Files.createTempDir(). > By default, on unix-like systems, the created directory is world-readable > (readable by an attacker with access to the system). The method in question > has been marked @Deprecated in versions 30.0 and later and should not be > used. For Android developers, we recommend choosing a temporary directory API > provided by Android, such as context.getCacheDir(). For other Java > developers, we recommend migrating to the Java 7 API > java.nio.file.Files.createTempDirectory() which explicitly configures > permissions of 700, or configuring the Java runtime's > [java.io|https://urldefense.com/v3/__http:/java.io/__;!!KpaPruflFCEp!hUy3fNZoxf_mnbeTP7GUWkbaKtRLDswR2fRnQ9Gm_AoaeVUncE_plq53EqTWyd1ZfAI7tIFOgmmRx77EAw$].tmpdir > system property to point to a location whose permissions are appropriately > configured.|CVSS 3.3Low| > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org