Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-38252

Upgrade Dependencies in spark-sql Java library

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Resolved
    • Critical
    • Resolution: Invalid
    • 3.2.1
    • None
    • Java API
    • None
    • Patch, Important

    Description

      There are numerous vulnerabilities in spark-sql Java library.

      Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.

       

      Maven Dependency

      <dependency>
        <groupId>org.apache.spark</groupId>
        <artifactId>spark-sql_2.13</artifactId>
        <version>3.2.1</version>
      </dependency>

       

      Vulnerabilities

      Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)
      ---------------------------------------------------------------
      | SEVERITY  |  LIBRARY                      |  ID             |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35515 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35516 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  commons-compress-1.20.jar    |  CVE-2021-35517 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  commons-compress-1.20.jar    |  CVE-2021-36090 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  gson-2.8.6.jar               |  WS-2021-0419   |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  log4j-1.2.17.jar             |  CVE-2019-17571 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  log4j-1.2.17.jar             |  CVE-2020-9493  |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  log4j-1.2.17.jar             |  CVE-2021-4104  |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23302 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23305 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23307 |
      |---------- | ----------------------------- | ----------------|
      | HIGH      |  netty-all-4.1.68.Final.jar   |  WS-2020-0408   |
      |---------- | ----------------------------- | ----------------|
      | MEDIUM    |  jackson-core-2.12.3.jar      |  WS-2021-0616   |
      |---------- | ----------------------------- | ----------------|
      | MEDIUM    |  jackson-databind-2.12.3.jar  |  WS-2021-0616   |
      |---------- | ----------------------------- | ----------------|
      | MEDIUM    |  netty-all-4.1.68.Final.jar   |  CVE-2021-43797 |
      |---------- | ----------------------------- | ----------------|
      | MEDIUM    |  protobuf-java-2.5.0.jar      |  CVE-2021-22569 |
      |---------- | ----------------------------- | ----------------|
      | LOW       |  log4j-1.2.17.jar             |  CVE-2020-9488  |
      ---------------------------------------------------------------

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            DhavalShewale Dhaval Shewale
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: