[
https://issues.apache.org/jira/browse/SPARK-55972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18066147#comment-18066147
]
Marco Gaido commented on SPARK-55972:
-------------------------------------
I do not see this at least on master (v 4.2).
> Security Issue :commons-lang-2.6 Dependency in Apache Spark (CVE-2025-48924)
> ----------------------------------------------------------------------------
>
> Key: SPARK-55972
> URL: https://issues.apache.org/jira/browse/SPARK-55972
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 4.1.1
> Reporter: ajay kumar
> Priority: Major
>
> The security advisory *CVE-2025-48924* recommends upgrading
> *{{commons-lang-2.6}}* to {*}{{commons-lang3-3.18}}{*}.
> [https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
> this dependency originates from *Apache Spark dependency jars*
>
> Apache Spark latest currently loads {*}both libraries simultaneously{*}:
> * {{commons-lang-2.6.0.jar}}
> * {{commons-lang3-3.18.0.jar}}
> This occurs because:
> * {{commons-lang}} (v2.x) and {{commons-lang3}} (v3.x) use *different Java
> packages*
> * Legacy Spark components still reference {*}{{org.apache.commons.lang.}}{*}*
> * Newer modules use {*}{{org.apache.commons.lang3.}}{*}*
> If {*}{{commons-lang-2.6.0.jar}} is removed{*}, the Spark runtime encounters
> {*}class loading failures{*}, which results in runtime errors in spark
> Therefore, *removing or replacing the library is not currently feasible
> without breaking dependencies*
>
> *Can you please fix it in latest release and back port the fix in previous
> release 3.5.0 also*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
