[
https://issues.apache.org/jira/browse/SPARK-57343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18088224#comment-18088224
]
Shahnoor Alam commented on SPARK-57343:
---------------------------------------
Hi Team,
Since we are using PySpark version 4.1.1, could you confirm whether there are
plans to patch Netty 4.2.15.Final and ZooKeeper 3.9.5 so they become
commercially available? If so, could you provide an estimate of how long this
might take?
> [SECURITY] Upgrade bundled Netty to 4.2.15.Final and ZooKeeper to 3.9.5 in
> PySpark to resolve Critical/High CVEs
> ----------------------------------------------------------------------------------------------------------------
>
> Key: SPARK-57343
> URL: https://issues.apache.org/jira/browse/SPARK-57343
> Project: Spark
> Issue Type: Bug
> Components: Build, PySpark
> Affects Versions: 4.1.1
> Environment: * *PySpark Version:* 4.1.1 (via pip)
> * *Python Version:* 3.12
> * *OS:* Linux/Unix (Docker Container)
> Reporter: Shahnoor Alam
> Priority: Blocker
> Attachments: 255f5292-7864-4af5-bd2c-8f7ab862746c.png,
> 3c783623-2018-4798-a543-9a5f0cac09ee.png,
> 42613dd0-aaa4-4a62-bd2b-c0a862c809e4.png,
> 5a721f5f-ce92-4a0d-a2dc-93f28bf1b6f9.png,
> 8691f5ae-772d-4cbf-be91-aa0ae14b64ad.png,
> 877b2928-4ae6-4d6b-aa7e-dcf46c158645.png,
> 8f631e61-2933-47fd-a3cb-52ed42f5d9b9.png,
> 973c27b7-d902-4b09-83b9-b46c93a457d2.png,
> c21782fe-7ed9-4a94-aebc-1aeded60fd59.png,
> fcbce59f-7684-40f1-919a-a8a1a3ea17c4.png
>
>
> *Environment:*
> * *PySpark Version:* 4.1.1 (via pip)
> * *Python Version:* 3.12
> * *OS:* Linux/Unix (Docker Container)
> *Description:* Currently, installing the {{pyspark}} package via {{pip}}
> bundles outdated and vulnerable versions of Netty and ZooKeeper JARs directly
> into the Python {{site-packages/pyspark/jars/}} directory.
> Because these JARs are physically bundled in the PyPI distribution, container
> security scanners (like Prisma Cloud) flag the entire Docker image for
> High/Critical severity vulnerabilities. In immutable enterprise
> infrastructure where post-install file deletions ({{{}rm -f{}}}) are
> prohibited, this completely blocks deployment pipelines.
> *Vulnerable Components & Paths Detected:*
> *1. Netty (Currently at 4.2.7.Final)* Multiple Netty components are flagged
> for recent vulnerabilities (e.g., CVE-2026-44249, CVE-2026-42587,
> CVE-2026-42577, CVE-2026-47691, CVE-2026-45674, CVE-2026-42578,
> CVE-2026-45416, CVE-2026-42582, CVE-2026-44892, CVE-2026-33871,
> [CVE-2026-42584|https://nvd.nist.gov/vuln/detail/CVE-2026-42584],
> [CVE-2026-42581|https://nvd.nist.gov/vuln/detail/CVE-2026-42581],
> [CVE-2026-33870|https://nvd.nist.gov/vuln/detail/CVE-2026-33870],
> [CVE-2026-42579|https://nvd.nist.gov/vuln/detail/CVE-2026-42579],
> [CVE-2026-42583|https://nvd.nist.gov/vuln/detail/CVE-2026-42583],
> [CVE-2026-44894|https://nvd.nist.gov/vuln/detail/CVE-2026-44894]).
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-all-4.2.7.Final.jar}}
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-buffer-4.2.7.Final.jar}}
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/netty-codec-4.2.7.Final.jar}}
> * _(Includes other transitives like {{{}netty-handler{}}},
> {{{}netty-codec-http2{}}}, etc.)_
> *2. Apache ZooKeeper (Currently at 3.9.4)* Flagged for CVE-2026-24281 and
> CVE-2026-24308 (Hostname verification and configuration handling
> vulnerabilities).
> *
> {{/usr/local/lib/python3.12/site-packages/pyspark/jars/zookeeper-3.9.4.jar}}
> *Requested Fix:* Please bump the internal Maven dependency properties for the
> PySpark build pipeline to the latest secure patch releases:
> * {{io.netty:*}} -> *{{4.2.15.Final}}*
> * {{org.apache.zookeeper:zookeeper}} -> *{{3.9.5}}*
> Aligning these bundled JARs with their patched releases will ensure
> downstream users can pass enterprise container security scans when pulling
> PySpark from PyPI.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
