I was going through this and CVE-2018-1334 vulnerabilities

As per mitigation plan advised to upgrade to 2.2.2 and 2.3.1, but from the
release notes I don’t find any reference against these vulnerabilities.Can
some one please provide me the jira ID against which these issues are fixed.

Regards
Sandeep Katta

On Thu, 12 Jul 2018 at 1:47 AM, Sean Owen <sro...@apache.org> wrote:

> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Spark versions through 2.1.2
> Spark 2.2.0 through 2.2.1
> Spark 2.3.0
>
> Description:
> In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's
> possible for a malicious user to construct a URL pointing to a Spark
> cluster's UI's job and stage info pages, and if a user can be tricked into
> accessing the URL, can be used to cause script to execute and expose
> information from the user's view of the Spark UI. While some browsers like
> recent versions of Chrome and Safari are able to block this type of attack,
> current versions of Firefox (and possibly others) do not.
>
> Mitigation:
> 1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer
> 2.2.x users should upgrade to 2.2.2 or newer
> 2.3.x users should upgrade to 2.3.1 or newer
>
> Credit:
> Spencer Gietzen, Rhino Security Labs
>
> References:
> https://spark.apache.org/security.html
>

Reply via email to