[jira] [Updated] (SPARK-44757) Vulnerabilities in Spark3.4

[Anand Balasubramaniam (Jira)]

     [ 
https://issues.apache.org/jira/browse/SPARK-44757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Anand Balasubramaniam updated SPARK-44757:
------------------------------------------
    Priority: Major  (was: Minor)

> Vulnerabilities in Spark3.4
> ---------------------------
>
>                 Key: SPARK-44757
>                 URL: https://issues.apache.org/jira/browse/SPARK-44757
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 3.4.0
>            Reporter: Anand Balasubramaniam
>            Priority: Major
>
> We are seeing below list of TPLS's with vulnerabilities bundled with Spark3.4 
> package with StackRox scan , is there any ETA on fixing them ? Kindly apprise 
> us on the same .
> h2. Vulnerabilities in Spark3.4
> |*CVE*|*Description*|*Severity*|
> |CVE-2018-21234|Jodd before 5.0.4 performs Deserialization of Untrusted JSON 
> Data when setClassMetadataName is set.|CVSS Score:9.8Critical|
> |CVE-2022-42004|In FasterXML jackson-databind before 2.13.4, resource 
> exhaustion can occur because of a lack of a check in 
> BeanDeserializer._deserializeFromArray to prevent use of deeply nested 
> arrays. An application is vulnerable only with certain customized choices for 
> deserialization.|CVSS Score 7.5Important|
> | CVE-2022-42003|In FasterXML jackson-databind before 2.14.0-rc1, resource 
> exhaustion can occur because of a lack of a check in primitive value 
> deserializers to avoid deep wrapper array nesting, when the 
> UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 
> 2.13.4.1 and 2.12.17.1|CVSS Score 7.5Important|
> |CVE-2022-40152|Those using Woodstox to parse XML data may be vulnerable to 
> Denial of Service attacks (DOS) if DTD support is enabled. If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow. This effect may support a denial of 
> service attack.|CVSS Score 7.5Important|
> |CVE-2022-3171|A parsing issue with binary data in protobuf-java core and 
> lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial 
> of service attack. Inputs containing multiple instances of non-repeated 
> embedded messages with repeated or unknown fields causes objects to be 
> converted back-n-forth between mutable and immutable forms, resulting in 
> potentially long garbage collection pauses. We recommend updating to the 
> versions mentioned above.|CVSS Score 7.5Important|
> |CVE-2021-34538|Apache Hive before 3.1.3 "CREATE" and "DROP" function 
> operations does not check for necessary authorization of involved entities in 
> the query. It was found that an unauthorized user can manipulate an existing 
> UDF without having the privileges to do so. This allowed unauthorized or 
> underprivileged users to drop and recreate UDFs pointing them to new jars 
> that could be potentially malicious.|CVSS Score 7.5Important|
> |CVE-2020-13949|In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could 
> send short messages which would result in a large memory allocation, 
> potentially leading to denial of service.|CVSS Score 7.5Important|
> |CVE-2018-10237|Unbounded memory allocation in Google Guava 11.0 through 24.x 
> before 24.1.1 allows remote attackers to conduct denial of service attacks 
> against servers that depend on this library and deserialize attacker-provided 
> data, because the AtomicDoubleArray class (when serialized with Java 
> serialization) and the CompoundOrdering class (when serialized with GWT 
> serialization) perform eager allocation without appropriate checks on what a 
> client has sent and whether the data size is reasonable.|CVSS 5.9Moderate|
> |CVE-2021-22569|An issue in protobuf-java allowed the interleaving of 
> com.google.protobuf.UnknownFieldSet fields in such a way that would be 
> processed out of order. A small malicious payload can occupy the parser for 
> several minutes by creating large numbers of short-lived objects that cause 
> frequent, repeated pauses. We recommend upgrading libraries beyond the 
> vulnerable versions.|CVSS 5.9Moderate|
> |CVE-2020-8908|A temp directory creation vulnerability exists in all versions 
> of Guava, allowing an attacker with access to the machine to potentially 
> access data in a temporary directory created by the Guava API 
> [com.google.common.io|https://urldefense.com/v3/__http:/com.google.common.io/__;!!KpaPruflFCEp!hUy3fNZoxf_mnbeTP7GUWkbaKtRLDswR2fRnQ9Gm_AoaeVUncE_plq53EqTWyd1ZfAI7tIFOgmmEBPoGRw$].Files.createTempDir().
>  By default, on unix-like systems, the created directory is world-readable 
> (readable by an attacker with access to the system). The method in question 
> has been marked @Deprecated in versions 30.0 and later and should not be 
> used. For Android developers, we recommend choosing a temporary directory API 
> provided by Android, such as context.getCacheDir(). For other Java 
> developers, we recommend migrating to the Java 7 API 
> java.nio.file.Files.createTempDirectory() which explicitly configures 
> permissions of 700, or configuring the Java runtime's 
> [java.io|https://urldefense.com/v3/__http:/java.io/__;!!KpaPruflFCEp!hUy3fNZoxf_mnbeTP7GUWkbaKtRLDswR2fRnQ9Gm_AoaeVUncE_plq53EqTWyd1ZfAI7tIFOgmmRx77EAw$].tmpdir
>  system property to point to a location whose permissions are appropriately 
> configured.|CVSS 3.3Low|
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org