[jira] [Created] (SPARK-52708) Remove dependencies exposed to critical and high CVEs

Tue, 08 Jul 2025 02:39:04 -0700 

Kai Qin created SPARK-52708:
-------------------------------

             Summary: Remove dependencies exposed to critical and high CVEs
                 Key: SPARK-52708
                 URL: https://issues.apache.org/jira/browse/SPARK-52708
             Project: Spark
          Issue Type: Dependency upgrade
          Components: PySpark
    Affects Versions: 4.0.0
            Reporter: Kai Qin


Several outdated library dependencies still referenced in *PySpark 4.0.0* 
contain {*}high/critical security vulnerabilities (CVEs){*}. If not updated, 
these vulnerabilities could affect users who rely on PySpark for production 
workloads.
 * 
{color:#172b4d}[{*}derby{*}:|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]{color}
 
_[v.10.16.1.1|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L139]_
 referenced by pyspark4.0.0 does [not 
resolve|https://mvnrepository.com/artifact/org.apache.derby/derby/10.16.1.1] 
the vulnerability ([NVD - 
CVE-2022-46337|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2022-46337])
 * {*}libfb303-0.9.3.jar{*}: 
[v.0.9.3|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L2486]
 is still referenced by pyspark4.0.0 does [not 
resolve|https://mvnrepository.com/artifact/org.apache.thrift/libfb303/0.9.3] 
some key vulnerabilities
 ** libfb303-0.9.3.jar comes from thrift v0.9.3 which is 10 years old (flag)
 * {*}janino-3.1.9.jar{*}: 
[v.3.1.9|https://github.com/apache/spark/blob/b49ef2ada0fcce7e3b5559abaf067d11f324d733/pom.xml#L200]
 still referenced by pyspark4.0.0 does [not 
resolve|https://nvd.nist.gov/vuln/detail/CVE-2023-33546] the vulnerability 
([NVD - CVE-2023-33546|https://nvd.nist.gov/vuln/detail?vulnId=CVE-2023-33546])

These vulnerabilities affect Spark users by:
 * Exposing PySpark workflows to potential security risks.
 * Including outdated dependencies that lack recent security fixes.
 * Forcing users to patch Spark manually instead of using an official release.

Expected Behaviour:
 * Ideally, the dependencies should be upgraded to their latest secure versions 
before the final release of PySpark 4.0.0.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to