spark-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Richardson <ekrichard...@gmail.com>
Subject Re: CVEs
Date Mon, 12 Jul 2021 17:44:40 GMT
Hi Sean and Holden,

I decided it was best to send an email so I could share all my findings
with the team. I think it should be relatively easy to fix with updates but
I am not that good at working on the repo. I tried but ended up with some
roadblocks that were going to take some time to figure out.

Thanks,
Eric

On Mon, Jun 21, 2021 at 5:45 PM Eric Richardson <ekrichardson@gmail.com>
wrote:

> Ok, that sounds like a plan. I will gather what I found and either reach
> out on the security channel and/or try and upgrade with a pull request.
>
> Thanks for pointing me in the right direction.
>
> On Mon, Jun 21, 2021 at 4:52 PM Sean Owen <srowen@gmail.com> wrote:
>
>> Yeah if it were clearly exploitable right now we'd handle it via private@
>> instead of JIRA; depends on what you think the importance is. If in doubt
>> reply to private@spark.apache.org
>>
>> On Mon, Jun 21, 2021 at 6:50 PM Holden Karau <holden@pigscanfly.ca>
>> wrote:
>>
>>> If you get to a point where you find something you think is highly
>>> likely a valid vulnerability the best path forward is likely reaching out
>>> to private@ to figure out how to do a security release.
>>>
>>> On Mon, Jun 21, 2021 at 4:42 PM Eric Richardson <ekrichardson@gmail.com>
>>> wrote:
>>>
>>>> Thanks for the quick reply. Yes, since it is included in the jars then
>>>> it is unclear whether it is used internally at least to me.
>>>>
>>>> I can substitute the jar in the distro to avoid the scanner from
>>>> finding it but then it is unclear whether I could be breaking something or
>>>> not. Given that 3.1.2 is the latest release, I guess you might expect that
>>>> it would pass the scanners but I am not sure if that version spans 3.0.x
>>>> and 3.1.x or not either.
>>>>
>>>> I can report findings in an issue where I am pretty darn sure it is a
>>>> valid vulnerability if that is ok? That at least would raise the
>>>> visibility.
>>>>
>>>> Will 3.2.x be Scala 2.13.x only or cross compiled with 2.12?
>>>>
>>>> I realize Spark is a beast so I just want to help if I can but also not
>>>> create extra work if it is not useful for me or the Spark team/contributors.
>>>>
>>>> On Mon, Jun 21, 2021 at 3:43 PM Sean Owen <srowen@gmail.com> wrote:
>>>>
>>>>> Whether it matters really depends on whether the CVE affects Spark.
>>>>> Sometimes it clearly could and so we'd try to back-port dependency updates
>>>>> to active branches.
>>>>> Sometimes it clearly doesn't and hey sometimes the dependency is
>>>>> updated anyway for good measure (mostly to keep this off static analyzer
>>>>> reports) but probably wouldn't backport.
>>>>>
>>>>> Jackson has been a persistent one but in this case Spark is already on
>>>>> 2.12.x in master, and it wasn't clear last time I looked at those CVEs
that
>>>>> they can affect Spark itself. End user apps perhaps, but those apps can
>>>>> supply their own Jackson.
>>>>>
>>>>> If someone had a legit view that this is potentially more serious I
>>>>> think we could _probably backport that update, but Jackson can be a little
>>>>> bit tricky with compatibility IIRC so would just bear some testing.
>>>>>
>>>>>
>>>>> On Mon, Jun 21, 2021 at 5:27 PM Eric Richardson <
>>>>> ekrichardson@gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am working with Spark 3.1.2 and getting several vulnerabilities
>>>>>> popping up. I am wondering if the Spark distros are scanned etc.
and how
>>>>>> people resolve these.
>>>>>>
>>>>>> For example. I am finding -
>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2020-25649
>>>>>>
>>>>>> This looks like it is fixed in 2.11.0 -
>>>>>> https://github.com/FasterXML/jackson-databind/issues/2589 - but
>>>>>> Spark supplies 2.10.0.
>>>>>>
>>>>>> Thanks,
>>>>>> Eric
>>>>>>
>>>>> --
>>> Twitter: https://twitter.com/holdenkarau
>>> Books (Learning Spark, High Performance Spark, etc.):
>>> https://amzn.to/2MaRAG9  <https://amzn.to/2MaRAG9>
>>> YouTube Live Streams: https://www.youtube.com/user/holdenkarau
>>>
>>

Mime
View raw message