Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-39183

Upgrade Apache Xerces Java to 2.12.2

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 3.2.1
    • 3.3.0, 3.2.2, 3.4.0
    • Build
    • None

    Description

      Infinite Loop in Apache Xerces Java

      There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

      References
      https://nvd.nist.gov/vuln/detail/CVE-2022-23437
      https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
      http://www.openwall.com/lists/oss-security/2022/01/24/3
      https://www.oracle.com/security-alerts/cpuapr2022.html

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. SPARK-42799 Update SBT build `xercesImpl` version to match with pom.xml

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          links to

          Pull request #36544 [Github] Pull Request #36544 (bjornjorgensen)

          Pull request #36544 [Github] Pull Request #36544 (bjornjorgensen)

          Activity

            People

              bjornjorgensen Bjørn Jørgensen
              bjornjorgensen Bjørn Jørgensen
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: