RE: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-28 Thread Balaji Sudharsanam V
advised by many security teams. Thanks, Balaji From: Sean Owen Sent: 28 January 2025 18:53 To: Balaji Sudharsanam V Cc: dev Subject: [EXTERNAL] Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions If you use vulnerable code in your application, sure, you might be exposed to its

Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-28 Thread Sean Owen
If you use vulnerable code in your application, sure, you might be exposed to its vulnerability. That's a problem for the application rather than Spark. Here I am asking if you know of a reason this CVE affects Spark usage, because you're asking about mitigating it. I'm first establishing whether

RE: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Balaji Sudharsanam V
From: Sean Owen Sent: 28 January 2025 10:31 To: Balaji Sudharsanam V Cc: Mich Talebzadeh ; dev Subject: [EXTERNAL] Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions Can you connect the CVE to Spark? Spark does not run a Hive metastore itself nor use Hive for executing queries

Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Sean Owen
> > > > Thanks, > > Balaji > > > > > *From:* Mich Talebzadeh > *Sent:* 27 January 2025 20:41 > *To:* Sean Owen > *Cc:* Balaji Sudharsanam V ; > dev@spark.apache.org > *Subject:* [EXTERNAL] Re: Spark 4.0 vulnerable with > hive-metastore-2.3.x.jar

RE: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Balaji Sudharsanam V
can be a different discussion. As long as Spark contains a vulnerable jar in its packaging, it is good to address this. Thanks, Balaji From: Mich Talebzadeh Sent: 27 January 2025 20:41 To: Sean Owen Cc: Balaji Sudharsanam V ; dev@spark.apache.org Subject: [EXTERNAL] Re: Spark 4.0 vulnerabl

Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Mich Talebzadeh
t; > > *Nicholas T. Marion * > Senior AI and Analytics Development Lead | IBM zDNN Product Owner > * Mobile:* 1 845 649 3592 > * E-mail:* nmar...@us.ibm.com > > IBM > > > > *From: *Mich Talebzadeh > *Date: *Monday, January 27, 2025 at 10:11 AM > *To: *Sean O

RE: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread NICHOLAS MARION
com <mailto:nmar...@us.ibm.com> IBM From: Mich Talebzadeh Date: Monday, January 27, 2025 at 10:11 AM To: Sean Owen Cc: Balaji Sudharsanam V , dev@spark.apache.org Subject: [EXTERNAL] Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions To answer your question, I did not read

Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Mich Talebzadeh
To answer your question, I did not read this CVE, but I am responding solely from my previous experiences with vulennabiries and the thread owner implications, having used spark in conjunction with Spark for many years. Mich Talebzadeh, Architect | Data Science | Financial Crime | Forensic Analy

Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Sean Owen
Mich: did you read the CVE? I'm not clear, as this contains no reference to the Hive functionality that is affected, or how it might relate to a metastore. Please explain. Otherwise this looks like a generic AI-generated response with no particularly relevant content. "In summary"... On Mon, Jan 2

Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Mich Talebzadeh
I think the thread owner's point is valid. The default use of the Hive Metastore by Spark further gives credence to the importance of addressing this Hive vulnerability to ensure the security and reliability of Spark applications. I use Hive as the default metastore for Spark as well. Spark relies

Re: Spark 4.0 vulnerable with hive-metastore-2.3.x.jar versions

2025-01-27 Thread Sean Owen
It looks like that affects Hive, and not the metastore. I do not see that it is relevant to Spark at first glance. On Mon, Jan 27, 2025 at 1:21 AM Balaji Sudharsanam V wrote: > Hi All, > > There is a vulnerability with ‘High’ severity found in the *Apache Spark > 3.x and 4.0.0 preview (2) relea