[ https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006413#comment-15006413 ]
Apache Spark commented on SPARK-11652: -------------------------------------- User 'srowen' has created a pull request for this issue: https://github.com/apache/spark/pull/9731 > Remote code execution with InvokerTransformer > --------------------------------------------- > > Key: SPARK-11652 > URL: https://issues.apache.org/jira/browse/SPARK-11652 > Project: Spark > Issue Type: Bug > Components: Spark Core > Reporter: Daniel Darabos > Priority: Minor > > There is a remote code execution vulnerability in the Apache Commons > collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) > that can be exploited simply by causing malicious data to be deserialized > using Java serialization. > As Spark is used in security-conscious environments I think it's worth taking > a closer look at how the vulnerability affects Spark. What are the points > where Spark deserializes external data? Which are affected by using Kryo > instead of Java serialization? What mitigation strategies are available? > If the issue is serious enough but mitigation is possible, it may be useful > to post about it on the mailing list or blog. > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org