Github user steveloughran commented on the pull request:
https://github.com/apache/spark/pull/11449#issuecomment-191741549
The risk is deserialization; Groovy CVE-2015-3253 shows how groovy < 2.4.4
makes it straightforward to use a class in Groovy to run arbitrary shell
commands on the destination. This has been show on Java ObjectStream and
XStream, so assume Kryo is vulnerable too.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
