search

aws-samples / aws-glue-samples

AWS Glue code samples
MIT No Attribution
1.44k stars 821 forks source link

Spark UI security vulnerabilities #94

Closed GergelyKalmar closed 2 years ago

GergelyKalmar commented 3 years ago

WhiteSource Bolt is reporting one high and two medium severity vulnerabilities on the Spark UI maven dependencies (coming from https://github.com/aws-samples/aws-glue-samples/blob/master/utilities/Spark_UI/pom.xml):

CVE-2020-28491
Path to dependency file: .../spark-ui/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.6.7/jackson-dataformat-cbor-2.6.7.jar

Dependency Hierarchy:
-> aws-java-sdk-core-1.11.696.jar (Root Library)
   -> x jackson-dataformat-cbor-2.6.7.jar (Vulnerable Library)

---

WS-2019-0379
Path to dependency file: .../spark-ui/pom.xml
Path to vulnerable library: /tmp/ws-ua_20210713195242_YPVBOO/downloadResource_AYMAMN/20210713195412/commons-codec-1.11.jar

Dependency Hierarchy:
-> httpclient-4.5.9.jar (Root Library)
   -> x commons-codec-1.11.jar (Vulnerable Library)

---

CVE-2020-13956
Path to dependency file: .../spark-ui/pom.xml
Path to vulnerable library: /home/wss-canner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.9/httpclient-4.5.9.jar

Dependency Hierarchy:
-> x httpclient-4.5.9.jar (Vulnerable Library)

It would be great if these could be fixed.

moomindani commented 2 years ago

Thank you for reporting this issue.

This pom.xml (for Glue 3.0) has the upgraded httpclient. We recommend using this version. https://github.com/aws-samples/aws-glue-samples/blob/master/utilities/Spark_UI/glue-3_0/pom.xml

Note: The dependency to httpclient is coming from Apache Spark. We cannot simply upgrade the pom.xml for Glue 2.0 to keep compatibility.