An update for spark is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1039 Final 1.0 1.0 2025-01-10 Initial 2025-01-10 2025-01-10 openEuler SA Tool V1.0 2025-01-10 spark security update An update for spark is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS-SP1 Apache Spark achieves high performance for both batch and streaming data, using a state-of-the-art DAG scheduler, a query optimizer, and a physical execution engine. Security Fix(es): Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12(CVE-2024-23945) An update for spark is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium spark https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1039 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-23945 https://nvd.nist.gov/vuln/detail/CVE-2024-23945 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-24.03-LTS-SP1 spark-3.2.2-2.oe2203sp3.x86_64.rpm spark-3.2.0-3.oe2003sp4.x86_64.rpm spark-3.2.2-2.oe2203sp1.x86_64.rpm spark-3.5.0-4.oe2403.x86_64.rpm spark-3.2.2-3.oe2203sp4.x86_64.rpm spark-3.5.0-5.oe2403sp1.x86_64.rpm spark-3.2.2-2.oe2203sp3.aarch64.rpm spark-3.2.0-3.oe2003sp4.aarch64.rpm spark-3.2.2-2.oe2203sp1.aarch64.rpm spark-3.5.0-4.oe2403.aarch64.rpm spark-3.2.2-3.oe2203sp4.aarch64.rpm spark-3.5.0-5.oe2403sp1.aarch64.rpm spark-3.2.2-2.oe2203sp3.src.rpm spark-3.2.0-3.oe2003sp4.src.rpm spark-3.2.2-2.oe2203sp1.src.rpm spark-3.5.0-4.oe2403.src.rpm spark-3.2.2-3.oe2203sp4.src.rpm spark-3.5.0-5.oe2403sp1.src.rpm Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12 2025-01-10 CVE-2024-23945 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-24.03-LTS-SP1 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N spark security update 2025-01-10 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1039