Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-34511

Current Security vulnerabilities in spark libraries

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 3.1.1
    • None
    • Build

    Description

      The following libraries have the following vulnerabilities that will fail Nexus security scans. They are deemed as threats of level 7 and higher on the Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies as the are fixed in subsequent releases.
       
      [Update - still present]com.fasterxml.woodstox : woodstox-core : 5.0.3 * https://github.com/FasterXML/woodstox/issues/50

      [Update - still present]com.nimbusds : nimbus-jose-jwt : 4.41.1 * https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt

      [Update - still present]Log4j : log4j : 1.2.17
      SocketServer class that is vulnerable to deserialization of untrusted data: * https://issues.apache.org/jira/browse/LOG4J2-1863

                Dynamic-link Library (DLL) Preloading:

       
      [Fixed]-apache-xerces : xercesImpl : 2.9.1 * hash table collisions -> https://issues.apache.org/jira/browse/XERCESJ-1685-

       
      [Update - still present]com.fasterxml.jackson.core : jackson-databind : 2.10.0 * https://github.com/FasterXML/jackson-databind/issues/2589

       
      [Update - still present ]commons-beanutils : commons-beanutils : 1.9.3 * http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader

       
      [Update - still present ]commons-io : commons-io : 2.5 * https://github.com/apache/commons-io/pull/52

       
      [Upgraded to 4.1.51.Final still with vulnerabilities, see new below]io.netty : netty-all : 4.1.47.Final * https://github.com/netty/netty/issues/10351

      • [-https://github.com/netty/netty/pull/10560-]

       
      [Update - still present]org.apache.commons : commons-compress : 1.18 * https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities

       
      [Update - changed to
      org.apache.hadoop : hadoop-hdfs-client : 3.2.0 see new below
      ]org.apache.hadoop : hadoop-hdfs : 2.7.4 * https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E

       
      [Update - still present]org.codehaus.jackson : jackson-mapper-asl : 1.9.13 * https://github.com/FasterXML/jackson-databind/issues/1599

       
      [Update - still present]org.eclipse.jetty : jetty-http : 9.3.24.v20180605: * https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096

       
      [Update -still present]org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 * https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921

      ]

       New:

      datatables 1.10.7

      jquery 3.3.1

       
      net.minidev : json-smart : 2.3 * https://github.com/netplex/json-smart-v1/issues/7

       
      org.apache.hadoop : hadoop-yarn-common : 3.2.0 * https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

       
      com.squareup.okhttp : okhttp : 2.7.5 * https://source.android.com/security/bulletin/2021-02-01#android-runtime

       
      io.netty : netty-all : 4.1.51.Final * https://github.com/netty/netty/issues/10351

       

      org.apache.hadoop : hadoop-hdfs-client : 3.2.0

      Attachments

        Activity

          People

            Unassigned Unassigned
            emac3060 eoin
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 168h
                168h
                Remaining:
                Remaining Estimate - 168h
                168h
                Logged:
                Time Spent - Not Specified
                Not Specified