Hi Sean, Just to dig in deeper with the message, totally agreed: this Hive vulnerability is not directly affecting Spark Usage.
However, we are seeing the package is affected as long as , a dependency/package/jar is being packaged in a product. This is part of the processes strongly being advised by many security teams. Thanks, Balaji From: Sean Owen <sro...@gmail.com> Sent: 28 January 2025 18:53 To: Balaji Sudharsanam V <balaji.sudharsa...@ibm.com> Cc: dev <dev@spark.apache.org> Subject: [EXTERNAL] Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions If you use vulnerable code in your application, sure, you might be exposed to its vulnerability. That's a problem for the application rather than Spark. Here I am asking if you know of a reason this CVE affects Spark usage, because you're If you use vulnerable code in your application, sure, you might be exposed to its vulnerability. That's a problem for the application rather than Spark. Here I am asking if you know of a reason this CVE affects Spark usage, because you're asking about mitigating it. I'm first establishing whether there is something to mitigate. On Mon, Jan 27, 2025 at 11:26 PM Balaji Sudharsanam V <balaji.sudharsa...@ibm.com<mailto:balaji.sudharsa...@ibm.com>> wrote: Hi Mich, True the vulnerable jar (hive-metastore-2.3.9.jar) is not directly related to Spark. And completely agree, “Spark does not run a Hive metastore itself nor use Hive for executing queries.” Like Nicholas said, When looking at vulnerabilities, many security teams, including ours, have begun to look at them as Vulnerable or Affected. Vulnerable being, directly impacted by the vulnerability and exploitable; while Affected is indicating if a vulnerable dependency/package/jar is being delivered with a product. With that said, if a user accidentally uses one of these dependents in their Spark application; with Java CLASSPATH, set the $SPARK_HOME/jars as precedent and in turn expose the unknowing end user to a vulnerability that way? I am also new to this mailing list and discussions. Not sure on this “Can you connect the CVE to Spark?” Pls help with this ! Thanks, Balaji
