I was going through this and CVE-2018-1334 vulnerabilities As per mitigation plan advised to upgrade to 2.2.2 and 2.3.1, but from the release notes I don’t find any reference against these vulnerabilities.Can some one please provide me the jira ID against which these issues are fixed.
Regards Sandeep Katta On Thu, 12 Jul 2018 at 1:47 AM, Sean Owen <sro...@apache.org> wrote: > Severity: Medium > > Vendor: The Apache Software Foundation > > Versions Affected: > Spark versions through 2.1.2 > Spark 2.2.0 through 2.2.1 > Spark 2.3.0 > > Description: > In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's > possible for a malicious user to construct a URL pointing to a Spark > cluster's UI's job and stage info pages, and if a user can be tricked into > accessing the URL, can be used to cause script to execute and expose > information from the user's view of the Spark UI. While some browsers like > recent versions of Chrome and Safari are able to block this type of attack, > current versions of Firefox (and possibly others) do not. > > Mitigation: > 1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer > 2.2.x users should upgrade to 2.2.2 or newer > 2.3.x users should upgrade to 2.3.1 or newer > > Credit: > Spencer Gietzen, Rhino Security Labs > > References: > https://spark.apache.org/security.html >
