Andreas Thum created SPARK-54715:
------------------------------------
Summary: Request to patch dependencies to fix critical CVEs
Key: SPARK-54715
URL: https://issues.apache.org/jira/browse/SPARK-54715
Project: Spark
Issue Type: Dependency upgrade
Components: Security
Affects Versions: 3.5.7, 4.0.1
Reporter: Andreas Thum
Our security scanner finds the following critical vulnerabilities in our spark
container image.
Is it possible for you to upgrade the dependencies to the fixed versions?
Thank you!
*Spark 4.0.1*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.9.2|1.11.4|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10,
3.0.17,...|
I've seen that there is already a PR to fix
[CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]:
[#53404|https://github.com/apache/spark/pull/53404] [SPARK-54649][BUILD][3.5]
Upgrade Jersey to 2.47
*Spark 3.5.7*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
3.8.3, 3.7.2|
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.7.7|1.11.4|
A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981] was
already requested in SPARK-45956 and a backport to Spark 3.X was rejected
([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
