Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-40861

CVE-2022-42889 upgrade commons text library to 1.10.0 in spark 3.0.0

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Invalid
    • 3.0.0
    • None
    • Spark Core

    Description

      Hi Team,

       

      We use spark-core_2.12:3.0.0  which has transitive dependency on commons-text 1.6 and this is flagged as CVE-2022-42889.

       

      We have our spark application built using maven using spark-core_2.12:3.0.0. 

      Need clarifications on below :

      • Does spark-core use StringSubstitutor and do we need to worry about this?
      • If its getting used , then which lib or code within spark core triggers it ?
      • can we include the apache commons text 1.10.0 as explicit dependency on our POM and add common text 1.6 in exclusions for spark-core , will it work ?
      • Upgrading the another spark version which may have commons text upgraded to 1.10.0 is not feasible and big task for us considering all dependent application using 3.0.0 version

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            rajesh.katkar Rajesh
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: