Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-40908

need guidance for vulnerability CVE-2022-42889 in spark 3.0.0 version

    XMLWordPrintableJSON

Details

    • Question
    • Status: Closed
    • Major
    • Resolution: Invalid
    • 3.0.0
    • None
    • Spark Core
    • Important

    Description

      Hi Spark team,

       

      dongjoon  bjornjorgensen 

       

       

      We are using spark 3.0.0 on AWS EMR service to run our spark jobs. 

      spark-core_2.12:3.0.0  has transitive dependency on commons-text 1.6 and this is flagged as critical severity CVE-2022-42889.

      As per Jira SPARK-40801 , commons text has been upgraded and spark 3.4.0 is released.

      We are dependent on AWS EMR service and changing EMR version and spark version is big task for us considering all downstream dependent applications

      We know spark 3.0.0 is EOL for you but would really appreciate if could provide guidance on it.

      We have few queries and need inputs from spark dev team to handle this issue on priority at our end 

       

       

       

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            rajesh.katkar Rajesh
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: