From 8f304d3317db7deeceff3e9b10a946b8700eade4 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Thu, 7 Nov 2024 14:48:09 +0100 Subject: [PATCH 1/2] fix (spark-k8s): CVE-2024-36114 --- CHANGELOG.md | 3 ++ .../3.5.1/002-aircompressor-upgrade.patch | 33 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 spark-k8s/stackable/patches/3.5.1/002-aircompressor-upgrade.patch diff --git a/CHANGELOG.md b/CHANGELOG.md index 93a278f7f..cadb30b22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,8 @@ All notable changes to this project will be documented in this file. ### Fixed - hbase: link to phoenix server jar ([#811]). +- spark: Fix CVE-2024-36114 in Spark 3.5.1 by upgrading a dependency. + Spark 3.5.2 is not affected. ([#921]) - trino: Correctly report Trino version ([#881]). [#783]: https://github.com/stackabletech/docker-images/pull/783 @@ -101,6 +103,7 @@ All notable changes to this project will be documented in this file. [#912]: https://github.com/stackabletech/docker-images/pull/912 [#913]: https://github.com/stackabletech/docker-images/pull/913 [#914]: https://github.com/stackabletech/docker-images/pull/914 +[#921]: https://github.com/stackabletech/docker-images/pull/921 ## [24.7.0] - 2024-07-24 diff --git a/spark-k8s/stackable/patches/3.5.1/002-aircompressor-upgrade.patch b/spark-k8s/stackable/patches/3.5.1/002-aircompressor-upgrade.patch new file mode 100644 index 000000000..29247f97c --- /dev/null +++ b/spark-k8s/stackable/patches/3.5.1/002-aircompressor-upgrade.patch @@ -0,0 +1,33 @@ +Fix CVE-2024-36114 +see https://github.com/stackabletech/vulnerabilities/issues/834 + +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and +Zstandard compression algorithms to Java. All decompressor +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash +the JVM for certain input, and in some cases also leak the content of +other memory of the Java process (which could contain sensitive +information). When decompressing certain data, the decompressors try to +access memory outside the bounds of the given byte arrays or byte +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to +speed up memory access, no additional bounds checks are performed and +this has similar security consequences as out-of-bounds access in C or +C++, namely it can lead to non-deterministic behavior or crash the JVM. +Users should update to Aircompressor 0.27 or newer where these issues +have been fixed. When decompressing data from untrusted users, this can +be exploited for a denial-of-service attack by crashing the JVM, or to +leak other sensitive information from the Java process. There are no +known workarounds for this issue. + +diff --git a/pom.xml b/pom.xml +index 6cca7db7bf8..fb9254e0cd9 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -2558,7 +2558,7 @@ + + io.airlift + aircompressor +- 0.26 ++ 0.27 + + + org.apache.orc From 00a303d750df86b1522bbffaa93e8d950cdd7f14 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Thu, 7 Nov 2024 15:04:06 +0100 Subject: [PATCH 2/2] Rename patch file name --- ...grade.patch => 002-CVE-2024-36114-upgrade-aircompressor.patch} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename spark-k8s/stackable/patches/3.5.1/{002-aircompressor-upgrade.patch => 002-CVE-2024-36114-upgrade-aircompressor.patch} (100%) diff --git a/spark-k8s/stackable/patches/3.5.1/002-aircompressor-upgrade.patch b/spark-k8s/stackable/patches/3.5.1/002-CVE-2024-36114-upgrade-aircompressor.patch similarity index 100% rename from spark-k8s/stackable/patches/3.5.1/002-aircompressor-upgrade.patch rename to spark-k8s/stackable/patches/3.5.1/002-CVE-2024-36114-upgrade-aircompressor.patch