[jira] [Resolved] (SPARK-54715) Request to patch dependencies to fix critical CVEs

Tue, 16 Dec 2025 02:41:07 -0800 


     [ 
https://issues.apache.org/jira/browse/SPARK-54715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Thum resolved SPARK-54715.
----------------------------------
    Resolution: Abandoned

Will create a new issue only for Spark 4

> Request to patch dependencies to fix critical CVEs
> --------------------------------------------------
>
>                 Key: SPARK-54715
>                 URL: https://issues.apache.org/jira/browse/SPARK-54715
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Security
>    Affects Versions: 4.0.1, 3.5.7
>            Reporter: Andreas Thum
>            Priority: Major
>              Labels: security
>
> Our security scanner finds the following critical vulnerabilities in our 
> spark container image.
> Is it possible for you to upgrade the dependencies to the fixed versions?
> Thank you!
>  
> *Spark 4.0.1*
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
>  9.8|org.apache.avro_avro|1.9.2|1.11.4|
> |[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
>  9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10, 
> 3.0.17,...|
> I've seen that there is already a PR to fix 
> [CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]: 
> [#53404|https://github.com/apache/spark/pull/53404] SPARK-54649[BUILD][3.5] 
> Upgrade Jersey to 2.47
>  
> *Spark 3.5.7*
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
> |[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
>  3.8.3, 3.7.2|
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
>  9.8|org.apache.avro_avro|1.7.7|1.11.4|
> A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981] 
> was already requested in SPARK-45956 and a backport to Spark 3.X was rejected 
> ([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]). I 
> guess, the situation has not changed here?
>  
> Regarding [CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561], 
> I'm a bit confused whether it's a false positive or not. As far as I can see, 
> Spark 3.5.7 already uses Apache Avro 1.11.4 and Spark 4.0.1 uses Avro 1.12.0. 
> Could you please confirm that you do not use an older Avro version in some 
> circumstances? Thanks a lot!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to