Re: [External] Re: [SECURITY] Request to bump bundled Netty and ZooKeeper in PySpark (Blocks Enterprise Scanners) - [SPARK-57343]

[Hyukjin Kwon]

I think it would be great if we don't just list CVEs like this. If I find
some time, I will take a look but I object to blindly upgrading
dependencies into old branches without proper assessment. Any contribution
is appreciated.

On Fri, 12 Jun 2026 at 16:22, Alam, Shahnoor <shahnoor.a...@accenture.com>
wrote:

> Hi Hyukjin,
>
> Thank you for your earlier response and for clarifying the upgrades made
> in the dev branch. I wanted to follow up regarding the recent PR—
> https://github.com/apache/spark/pull/56373
> <https://urldefense.com/v3/__https://github.com/apache/spark/pull/56373__;!!OrxsNty6D4my!4gKS9QkeBZoCGnF8cL_7xIgGusGAG7kAYU2ZuDIrpG-iVCtW5bvs5TgvpSf9TCDMGviRhgMcaGfylrGMNFoGqTnh$>
>  —and ask for some additional details.
>
> Could you please confirm whether the following CVEs have been addressed in
> this PR?
>
> - CVE-2026-33870
> - CVE-2026-33871
> - CVE-2026-42577
> - CVE-2026-42579
> - CVE-2026-42582
> - CVE-2026-42583
> - CVE-2026-42584
> - CVE-2026-42587
>
> Additionally, could you confirm whether there are plans to patch Netty
> 4.2.15.Final and ZooKeeper 3.9.5 so they become commercially available? If
> so, could you provide an estimate of how long this might take?
>
> If you could provide insight on whether these vulnerabilities are now
> resolved, it would be greatly appreciated. This information will help us
> ensure compliance with our enterprise container security requirements and
> facilitate a smoother deployment process.
>
> Thanks again for your support and all the work you put into Spark! Looking
> forward to your update.
>
> Regards,
> Shahnoor
>
> *From: *Alam, Shahnoor <shahnoor.a...@accenture.com>
> *Date: *Thursday, 11 June 2026 at 3:35 PM
> *To: *Hyukjin Kwon <gurwls...@apache.org>; u...@spark.apache.org <
> u...@spark.apache.org>
> *Cc: *d...@spark.apache.org <d...@spark.apache.org>;
> secur...@spark.apache.org <secur...@spark.apache.org>;
> issues@spark.apache.org <issues@spark.apache.org>; Singh, Manoj <
> m.c.si...@accenture.com>; Fatima Ansari, Nuzhat <
> nuzhat.fatima.ans...@accenture.com>; Misra Parashar, Jyoti <
> jyoti.misra.paras...@accenture.com>; Shukla, Vidur <
> vidur.shu...@accenture.com>; George, Rejish <rejish.geo...@accenture.com>;
> Dussa, Hanisha <hanisha.du...@accenture.com>; Kumar Sharma, Rohit B. <
> rohit.b.kumar.sha...@accenture.com>
> *Subject: *Re: [External] Re: [SECURITY] Request to bump bundled Netty
> and ZooKeeper in PySpark (Blocks Enterprise Scanners) - [SPARK-57343]
>
> Thanks for the response Hyukjin.
>
> Since we are using PySpark version 4.1.1, could you confirm whether there
> are plans to patch Netty 4.2.15.Final and ZooKeeper 3.9.5 so they become
> commercially available? If so, could you provide an estimate of how long
> this might take?
>
> Regards,
> Shahnoor
>
> *From: *Hyukjin Kwon <gurwls...@apache.org>
> *Date: *Wednesday, 10 June 2026 at 11:40 AM
> *To: *u...@spark.apache.org <u...@spark.apache.org>
> *Cc: *d...@spark.apache.org <d...@spark.apache.org>;
> secur...@spark.apache.org <secur...@spark.apache.org>;
> issues@spark.apache.org <issues@spark.apache.org>; Singh, Manoj <
> m.c.si...@accenture.com>; Fatima Ansari, Nuzhat <
> nuzhat.fatima.ans...@accenture.com>; Misra Parashar, Jyoti <
> jyoti.misra.paras...@accenture.com>; Shukla, Vidur <
> vidur.shu...@accenture.com>; George, Rejish <rejish.geo...@accenture.com>;
> Dussa, Hanisha <hanisha.du...@accenture.com>; Kumar Sharma, Rohit B. <
> rohit.b.kumar.sha...@accenture.com>; Alam, Shahnoor <
> shahnoor.a...@accenture.com>
> *Subject: *[External] Re: [SECURITY] Request to bump bundled Netty and
> ZooKeeper in PySpark (Blocks Enterprise Scanners) - [SPARK-57343]
>
> *WARNING:* External email. Be vigilant with links, attachments, and
> requests.
>
> Upgraded by https://github.com/apache/spark/pull/56373
> <https://urldefense.com/v3/__https://github.com/apache/spark/pull/56373__;!!OrxsNty6D4my!4gKS9QkeBZoCGnF8cL_7xIgGusGAG7kAYU2ZuDIrpG-iVCtW5bvs5TgvpSf9TCDMGviRhgMcaGfylrGMNFoGqTnh$>
>  and
> ZooKeeper is already using 3.9.5 in the dev branch.
> We upgraded this in the dev branch but did not backport to branch-4.x and
> older because it does not directly affect Spark itself.
> They are artifact-level false positives.
>
>
> On Tue, 9 Jun 2026 at 21:49, Alam, Shahnoor via user <
> u...@spark.apache.org> wrote:
>
> Hi Spark Developers,
>
> I hope you are all having a good week.
>
> I recently opened *[*https://issues.apache.org/jira/browse/SPARK-57343
> <https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SPARK-57343__;!!OrxsNty6D4my!4gKS9QkeBZoCGnF8cL_7xIgGusGAG7kAYU2ZuDIrpG-iVCtW5bvs5TgvpSf9TCDMGviRhgMcaGfylrGMNH2ORvLw$>
> *]* regarding outdated dependencies bundled within the PySpark
> distribution on PyPI.
>
> Currently, the pyspark pip package bundles pre-compiled JARs for Netty (
> 4.2.7.Final) and ZooKeeper (3.9.4) into the site-packages/pyspark/jars/ 
> directory.
> Because these specific versions are flagged for recent High/Critical CVEs
> (including CVE-2026-44249 for Netty and CVE-2026-24281 for ZooKeeper),
> standard enterprise container security scanners (like Prisma Cloud) are
> forcefully failing immutable Docker image builds when pyspark is
> installed.
>
> Because downstream users cannot surgically delete or swap these bundled
> JARs in locked CI/CD pipelines without risking PySpark instability, we are
> currently blocked from deploying the latest PySpark releases.
>
> *The Request:* Could we look into bumping the internal Maven build
> properties for PySpark to pull the latest secure patches before the next
> release cycle?
>
>    -
>
>    io.netty:* -> *4.2.15.Final*
>    -
>
>    org.apache.zookeeper:zookeeper -> *3.9.5*
>
> All the specific CVE details and file paths are attached to the Jira
> ticket for reference.
>
> Thank you for your time and for all the hard work you put into maintaining
> Spark!
>
> Regards,
> Shahnoor
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security, AI-powered support
> capabilities, and assessment of internal compliance with Accenture policy.
> Your privacy is important to us. Accenture uses your personal data only in
> compliance with data protection laws. For further information on how
> Accenture processes your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
>