Github user a-roberts commented on the issue:
https://github.com/apache/spark/pull/16888
Netty 4.1.1 and above has the fix in (a change to OpenSslEngine)- Netty
4.0.x does not, and the implementations of OpenSslEngine differs substantially
between the releases (so a simple case of adding in the fix would be
non-trivial and potentially lead to complications, this would be the path of
least resistance)
You can find more info on the CVE I'm concerned with at:
https://www.versioneye.com/java/io.netty:netty-all/4.0.43.Final
To be impacted it sounds as though we need to do several things - use Spark
with Netty 4.1.0 and below (including the 4.0.x releases), have tcnative on our
classpath and we specify to use the OpenSslEngine (there's a useful overview on
why you'd want to do this [here](https://youtu.be/DKJ0w30M0vg?t=2969) which
mentions it being a drop-in replacement for the JDK classes and offers superior
performance). Info on using tcnative
[here](http://netty.io/wiki/forked-tomcat-native.html#wiki-h2-4)
We don't include any of the netty/tcnative native libraries for Spark so I
don't think we're impacted - but moving up to take on other fixes as well would
be useful (and if it so much faster we could see shuffle-intensive workloads
speedup by upgrading and including natives later on). I'll set this as a WIP
and look into why the tests fail.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
