Shahnoor Alam created SPARK-57343:
-------------------------------------
Summary: [SECURITY] Upgrade bundled Netty to 4.2.15.Final and
ZooKeeper to 3.9.5 in PySpark to resolve Critical/High CVEs
Key: SPARK-57343
URL: https://issues.apache.org/jira/browse/SPARK-57343
Project: Spark
Issue Type: Bug
Components: Build, PySpark
Affects Versions: 4.1.1
Environment: * *PySpark Version:* 4.1.1 (via pip)
* *Python Version:* 3.12
* *OS:* Linux/Unix (Docker Container)
Reporter: Shahnoor Alam
*Environment:*
* *PySpark Version:* 4.1.1 (via pip)
* *Python Version:* 3.12
* *OS:* Linux/Unix (Docker Container)
*Description:* Currently, installing the {{pyspark}} package via {{pip}}
bundles outdated and vulnerable versions of Netty and ZooKeeper JARs directly
into the Python {{site-packages/pyspark/jars/}} directory.
Because these JARs are physically bundled in the PyPI distribution, container
security scanners (like Prisma Cloud) flag the entire Docker image for
High/Critical severity vulnerabilities. In immutable enterprise infrastructure
where post-install file deletions ({{{}rm -f{}}}) are prohibited, this
completely blocks deployment pipelines.
*Vulnerable Components & Paths Detected:*
*1. Netty (Currently at 4.2.7.Final)* Multiple Netty components are flagged for
recent vulnerabilities (e.g., CVE-2026-44249, CVE-2026-42587, CVE-2026-42577,
CVE-2026-47691, CVE-2026-45674, CVE-2026-42578, CVE-2026-45416, CVE-2026-42582,
CVE-2026-44892, CVE-2026-33871,
[CVE-2026-42584|https://nvd.nist.gov/vuln/detail/CVE-2026-42584],
[CVE-2026-42581|https://nvd.nist.gov/vuln/detail/CVE-2026-42581],
[CVE-2026-33870|https://nvd.nist.gov/vuln/detail/CVE-2026-33870],
[CVE-2026-42579|https://nvd.nist.gov/vuln/detail/CVE-2026-42579],
[CVE-2026-42583|https://nvd.nist.gov/vuln/detail/CVE-2026-42583],
[CVE-2026-44894|https://nvd.nist.gov/vuln/detail/CVE-2026-44894]).
*
{{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-all-4.2.7.Final.jar}}
*
{{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-buffer-4.2.7.Final.jar}}
*
{{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-codec-4.2.7.Final.jar}}
* _(Includes other transitives like {{{}netty-handler{}}},
{{{}netty-codec-http2{}}}, etc.)_
*2. Apache ZooKeeper (Currently at 3.9.4)* Flagged for CVE-2026-24281 and
CVE-2026-24308 (Hostname verification and configuration handling
vulnerabilities).
* {{/usr/local/lib/python3.12/site-packages/pyspark/jars/zookeeper-3.9.4.jar}}
*Requested Fix:* Please bump the internal Maven dependency properties for the
PySpark build pipeline to the latest secure patch releases:
* {{io.netty:*}} -> *{{4.2.15.Final}}*
* {{org.apache.zookeeper:zookeeper}} -> *{{3.9.5}}*
Aligning these bundled JARs with their patched releases will ensure downstream
users can pass enterprise container security scans when pulling PySpark from
PyPI.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
