Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-32336

11 Critical & 4 High severity issues in Apcahe Spark 3.0.0 - dependency libraries

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 3.0.0
    • Fix Version/s: None
    • Component/s: Build, Security
    • Labels:
    • Environment:
    • Flags:
      Patch, Important
    • External issue ID:
      CVE-2018-17190, CVE-2018-11777, CVE-2018-17190, CVE-2018-21234, CVE-2017-15718, CVE-2018-8009, CVE-2018-11766, CVE-2018-8029, CVE-2018-1337,CVE-2015-3250 ,

      Description

      CVE-2018-1337 In Apache Directory LDAP API before 1.0.2,   - upgrade dependency to 1.0.2
      CVE-2018-17190 In all versions of Apache Spark,
      CVE-2017-15718 The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 - upgrade lib
      CVE-2018-21234 Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.
      CVE-2019-17571 Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
      CVE-2018-17190 In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker
      CVE-2020-9480 In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ABakerIII Albert Baker
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified