[jira] (SPARK-34511) Current Security vulnerabilities in spark libraries

[Abhinav Kumar (Jira)]

    [ https://issues.apache.org/jira/browse/SPARK-34511 ]


    Abhinav Kumar deleted comment on SPARK-34511:
    ---------------------------------------

was (Author: abhinavofficial):
Hi [~dongjoon] - We are still seeing json-smart 2.3 in the binaries that are 
distributed. Is it there by error? May be the code was not ported in 3.1.2 (we 
are using this) and also in 3.2.0 and 3.2.1. Could you please check?

> Current Security vulnerabilities in spark libraries
> ---------------------------------------------------
>
>                 Key: SPARK-34511
>                 URL: https://issues.apache.org/jira/browse/SPARK-34511
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Build
>    Affects Versions: 3.1.1
>            Reporter: eoin
>            Priority: Major
>              Labels: security
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> The following libraries have the following vulnerabilities that will fail 
> Nexus security scans. They are deemed as threats of level 7 and higher on the 
> Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies 
> as the are fixed in subsequent releases.
>   
> [Update - still present]com.fasterxml.woodstox : woodstox-core : 5.0.3 * 
> [https://github.com/FasterXML/woodstox/issues/50]
>  * [https://github.com/FasterXML/woodstox/issues/51]
>  * [https://github.com/FasterXML/woodstox/issues/61]
> [Update - still present]com.nimbusds : nimbus-jose-jwt : 4.41.1 * 
> [https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt]
>  * [https://connect2id.com/blog/nimbus-jose-jwt-7-9]
> [Update - still present]Log4j : log4j : 1.2.17
>  SocketServer class that is vulnerable to deserialization of untrusted data: 
> * https://issues.apache.org/jira/browse/LOG4J2-1863
>  * 
> [https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E]
>  * [https://bugzilla.redhat.com/show_bug.cgi?id=1785616]
>           Dynamic-link Library (DLL) Preloading:
>  * [https://bz.apache.org/bugzilla/show_bug.cgi?id=50323]
>  
> [Fixed]-apache-xerces : xercesImpl : 2.9.1 * hash table collisions -> 
> https://issues.apache.org/jira/browse/XERCESJ-1685-
>  * 
> -[https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3cof3b40f5f7.e6552a8b-on85257d73.00699ed7-85257d73.006a9...@ca.ibm.com%3E]-
>  * [-https://bugzilla.redhat.com/show_bug.cgi?id=1019176-]
>  
> [Update - still present]com.fasterxml.jackson.core : jackson-databind : 
> 2.10.0 * [https://github.com/FasterXML/jackson-databind/issues/2589]
>  
> [Update - still present ]commons-beanutils : commons-beanutils : 1.9.3 * 
> [http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader]
>  * https://issues.apache.org/jira/browse/BEANUTILS-463
>  
> [Update - still present ]commons-io : commons-io : 2.5 * 
> [https://github.com/apache/commons-io/pull/52]
>  * https://issues.apache.org/jira/browse/IO-556
>  * https://issues.apache.org/jira/browse/IO-559
>  
> [Upgraded to 4.1.51.Final still with vulnerabilities, see new below]-io.netty 
> : netty-all : 4.1.47.Final * [https://github.com/netty/netty/issues/10351]-
>  * [-https://github.com/netty/netty/pull/10560-]
>  
> [Update - still present]org.apache.commons : commons-compress : 1.18 * 
> [https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities]
>  
> [Update - changed to
> org.apache.hadoop : hadoop-hdfs-client : 3.2.0 see new below
> ]-org.apache.hadoop : hadoop-hdfs : 2.7.4 * 
> [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]-
>  * 
> -[https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E]-
>  * -[https://hadoop.apache.org/cve_list.html]-
>  * -[https://www.openwall.com/lists/oss-security/2019/01/24/3]-
>   --  
>  -org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 * 
> [https://bugzilla.redhat.com/show_bug.cgi?id=1516399]-
>  * 
> -[https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E]-
>  
> [Update - still present]org.codehaus.jackson : jackson-mapper-asl : 1.9.13 * 
> [https://github.com/FasterXML/jackson-databind/issues/1599]
>  * [https://blog.sonatype.com/jackson-databind-remote-code-execution]
>  * [https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist]
>  * [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
>  * [https://access.redhat.com/security/cve/cve-2019-10172]
>  * [https://bugzilla.redhat.com/show_bug.cgi?id=1715075]
>  * [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]
>  
> [Update - still present]org.eclipse.jetty : jetty-http : 9.3.24.v20180605: * 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096]
>  
> [Update -still present]org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 * 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921]
>  * [https://github.com/eclipse/jetty.project/issues/5451]
>  * 
> [https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
> ]
>  New:
> datatables 1.10.7
>  * 
> [https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765]
> jquery 3.3.1
>  * [https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/]
>  * [https://github.com/cbeust/testng/issues/2150]
>  
> net.minidev : json-smart : 2.3 * 
> [https://github.com/netplex/json-smart-v1/issues/7]
>  * [https://github.com/netplex/json-smart-v2/issues/60]
>  
> org.apache.hadoop : hadoop-yarn-common : 3.2.0 * 
> [https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/]
>  * [https://github.com/cbeust/testng/issues/2150]
>  * 
> [https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765]
>  
> com.squareup.okhttp : okhttp : 2.7.5 * 
> [https://source.android.com/security/bulletin/2021-02-01#android-runtime]
>  
> io.netty : netty-all : 4.1.51.Final * 
> [https://github.com/netty/netty/issues/10351]
>  * [https://github.com/netty/netty/pull/10560]
>  
> org.apache.hadoop : hadoop-hdfs-client : 3.2.0
>  * 
> [https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org