[
https://issues.apache.org/jira/browse/SPARK-57343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shahnoor Alam updated SPARK-57343:
----------------------------------
Attachment: 3c783623-2018-4798-a543-9a5f0cac09ee.png
42613dd0-aaa4-4a62-bd2b-c0a862c809e4.png
8f631e61-2933-47fd-a3cb-52ed42f5d9b9.png
973c27b7-d902-4b09-83b9-b46c93a457d2.png
c21782fe-7ed9-4a94-aebc-1aeded60fd59.png
877b2928-4ae6-4d6b-aa7e-dcf46c158645.png
fcbce59f-7684-40f1-919a-a8a1a3ea17c4.png
5a721f5f-ce92-4a0d-a2dc-93f28bf1b6f9.png
255f5292-7864-4af5-bd2c-8f7ab862746c.png
8691f5ae-772d-4cbf-be91-aa0ae14b64ad.png
> [SECURITY] Upgrade bundled Netty to 4.2.15.Final and ZooKeeper to 3.9.5 in
> PySpark to resolve Critical/High CVEs
> ----------------------------------------------------------------------------------------------------------------
>
> Key: SPARK-57343
> URL: https://issues.apache.org/jira/browse/SPARK-57343
> Project: Spark
> Issue Type: Bug
> Components: Build, PySpark
> Affects Versions: 4.1.1
> Environment: * *PySpark Version:* 4.1.1 (via pip)
> * *Python Version:* 3.12
> * *OS:* Linux/Unix (Docker Container)
> Reporter: Shahnoor Alam
> Priority: Blocker
> Attachments: 255f5292-7864-4af5-bd2c-8f7ab862746c.png,
> 3c783623-2018-4798-a543-9a5f0cac09ee.png,
> 42613dd0-aaa4-4a62-bd2b-c0a862c809e4.png,
> 5a721f5f-ce92-4a0d-a2dc-93f28bf1b6f9.png,
> 8691f5ae-772d-4cbf-be91-aa0ae14b64ad.png,
> 877b2928-4ae6-4d6b-aa7e-dcf46c158645.png,
> 8f631e61-2933-47fd-a3cb-52ed42f5d9b9.png,
> 973c27b7-d902-4b09-83b9-b46c93a457d2.png,
> c21782fe-7ed9-4a94-aebc-1aeded60fd59.png,
> fcbce59f-7684-40f1-919a-a8a1a3ea17c4.png
>
>
> *Environment:*
> * *PySpark Version:* 4.1.1 (via pip)
> * *Python Version:* 3.12
> * *OS:* Linux/Unix (Docker Container)
> *Description:* Currently, installing the {{pyspark}} package via {{pip}}
> bundles outdated and vulnerable versions of Netty and ZooKeeper JARs directly
> into the Python {{site-packages/pyspark/jars/}} directory.
> Because these JARs are physically bundled in the PyPI distribution, container
> security scanners (like Prisma Cloud) flag the entire Docker image for
> High/Critical severity vulnerabilities. In immutable enterprise
> infrastructure where post-install file deletions ({{{}rm -f{}}}) are
> prohibited, this completely blocks deployment pipelines.
> *Vulnerable Components & Paths Detected:*
> *1. Netty (Currently at 4.2.7.Final)* Multiple Netty components are flagged
> for recent vulnerabilities (e.g., CVE-2026-44249, CVE-2026-42587,
> CVE-2026-42577, CVE-2026-47691, CVE-2026-45674, CVE-2026-42578,
> CVE-2026-45416, CVE-2026-42582, CVE-2026-44892, CVE-2026-33871,
> [CVE-2026-42584|https://nvd.nist.gov/vuln/detail/CVE-2026-42584],
> [CVE-2026-42581|https://nvd.nist.gov/vuln/detail/CVE-2026-42581],
> [CVE-2026-33870|https://nvd.nist.gov/vuln/detail/CVE-2026-33870],
> [CVE-2026-42579|https://nvd.nist.gov/vuln/detail/CVE-2026-42579],
> [CVE-2026-42583|https://nvd.nist.gov/vuln/detail/CVE-2026-42583],
> [CVE-2026-44894|https://nvd.nist.gov/vuln/detail/CVE-2026-44894]).
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-all-4.2.7.Final.jar}}
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-buffer-4.2.7.Final.jar}}
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-codec-4.2.7.Final.jar}}
> * _(Includes other transitives like {{{}netty-handler{}}},
> {{{}netty-codec-http2{}}}, etc.)_
> *2. Apache ZooKeeper (Currently at 3.9.4)* Flagged for CVE-2026-24281 and
> CVE-2026-24308 (Hostname verification and configuration handling
> vulnerabilities).
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/zookeeper-3.9.4.jar}}
> *Requested Fix:* Please bump the internal Maven dependency properties for the
> PySpark build pipeline to the latest secure patch releases:
> * {{io.netty:*}} -> *{{4.2.15.Final}}*
> * {{org.apache.zookeeper:zookeeper}} -> *{{3.9.5}}*
> Aligning these bundled JARs with their patched releases will ensure
> downstream users can pass enterprise container security scans when pulling
> PySpark from PyPI.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
