[jira] [Updated] (SPARK-51035) Upgrade dependencies exposed to critical and high CVEs

Tue, 24 Jun 2025 18:56:47 -0700 


     [ 
https://issues.apache.org/jira/browse/SPARK-51035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated SPARK-51035:
-----------------------------------
    Labels: pull-request-available  (was: )

> Upgrade dependencies exposed to critical and high CVEs
> ------------------------------------------------------
>
>                 Key: SPARK-51035
>                 URL: https://issues.apache.org/jira/browse/SPARK-51035
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: PySpark
>    Affects Versions: 4.0.0
>            Reporter: Marina Gonzalez
>            Priority: Critical
>              Labels: pull-request-available
>
> Several outdated library dependencies still referenced in *PySpark 4.0.0* 
> contain {*}high/critical security vulnerabilities (CVEs){*}. If not updated, 
> these vulnerabilities could affect users who rely on PySpark for production 
> workloads.
>  * 
> {color:#172b4d}[{*}derby{*}:|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]{color}
>  
> _[v.10.16.1.1|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]_
>  referenced by pyspark4.0.0 does [not 
> resolve|https://mvnrepository.com/artifact/org.apache.derby/derby/10.16.1.1] 
> the vulnerability ([NVD - 
> CVE-2022-46337|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2022-46337])
>  * {*}libfb303-0.9.3.jar{*}: 
> [v.0.9.3|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L2486]
>  is still referenced by pyspark4.0.0 does [not 
> resolve|https://mvnrepository.com/artifact/org.apache.thrift/libfb303/0.9.3] 
> some key vulnerabilities
>  ** libfb303-0.9.3.jar comes from thrift v0.9.3 which is 10 years old (flag)
>  * {*}janino-3.1.9.jar{*}: 
> [v.3.1.9|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L200]
>  still referenced by pyspark4.0.0 does [not 
> resolve|https://nvd.nist.gov/vuln/detail/CVE-2023-33546] the vulnerability 
> ([NVD - 
> CVE-2023-33546|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2023-33546])
> These vulnerabilities affect Spark users by:
>  * Exposing PySpark workflows to potential security risks.
>  * Including outdated dependencies that lack recent security fixes.
>  * Forcing users to patch Spark manually instead of using an official release.
> Expected Behaviour:
>  * Ideally, the dependencies should be upgraded to their latest secure 
> versions before the final release of PySpark 4.0.0.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to