Azure Databricks and CVE-2022-42889

Question

Azure Databricks and CVE-2022-42889

Janne Kujanpää 256

Azure Databricks is shipping Apache commons text package: e.g.

1.6 on 10.4 LTS runtime
1.9 on 11.2 runtime

Is vulnerable component actively being used by Databricks?
Is it exploitable through common data processing patterns customer use with Databricks?
Is it going to be hot-patched?
Guidance for customer-side mitigations?

The proof that component is shipped by default on Databricks cluster:

PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2022-10-20T09:29:30.447+00:00

Hello @Janne Kujanpää ,

Thanks for bringing this to our attention.

We have reported to the internal team and I will update you once I have update from the team.

1 answer

Your answer

PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2022-10-20T09:29:30.447+00:00

Hello @Janne Kujanpää ,

Thanks for bringing this to our attention.

We have reported to the internal team and I will update you once I have update from the team.

Answer 1

PRADEEPCHEEKATLA 90,641 Moderator

Hello @Janne Kujanpää ,

Thanks for the question and using MS Q&A platform.

The below are the steps to update Apache Commos Text 1.10 version:

Step1: Create an init script as shown below:

init script:

#!/bin/bash  
wget --quiet -O /dbfs/tmp/commons-text-1.10.0.jar https://repo1.maven.org/maven2/org/apache/commons/commons-text/1.10.0/commons-text-1.10.0.jar  
rm -rf /databricks/jars/*commons-text*.jar  
cp /dbfs/tmp/commons-text-1.10.0.jar /databricks/jars/

Step2: After you run the above snippet from a notebook, there will the apache-commons-text-install.sh file in /dbfs/databricks/scripts folder

Step3: After confirming the file is good, add this to the init script to the cluster as shown below:

Step4: Restart the cluster, after that you will see the 1.10 version

Hope this will help. Please let us know if any further queries.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is jhow you can be part of Q&A Volunteer Moderators

Janne Kujanpää 256 Reputation points

2022-10-20T20:58:23.093+00:00
That's a nice workaround but what about other questions?

is it going to be fixed by default?

Is vulnerable class used by databricks internally or easily triggered by common databricks projects?

Public announcement / health service event with mitigation guidance?

Or are those waiting for further analysis of vulnerability severity on databricks?
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2022-10-21T04:26:31.377+00:00

Hello @Janne Kujanpää ,

We had reported this to the product team and they had acknowleded and going to be fixed asap.

Meanwhile, you can use the above workaround to update the Apache Commos Text 1.10 version.

Janne Kujanpää 256

Working version of the notebook code:

dbutils.fs.mkdirs("dbfs:/databricks/scripts")  
dbutils.fs.mkdirs("dbfs:/tmp")  
dbutils.fs.put("/databricks/scripts/apache-commons-text-install.sh", """  
#!/bin/bash  
wget --quiet -O /dbfs/tmp/commons-text-1.10.0.jar https://repo1.maven.org/maven2/org/apache/commons/commons-text/1.10.0/commons-text-1.10.0.jar  
rm -rf /databricks/jars/*commons-text*.jar  
cp /dbfs/tmp/commons-text-1.10.0.jar /databricks/jars/  
""", True)  
display(dbutils.fs.ls("dbfs:/databricks/scripts/apache-commons-text-install.sh"))

dbfs:/tmp was missing. Copy-pasteable code for future references

PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2022-10-25T06:23:31.59+00:00

Hello @Janne Kujanpää ,

Are you experiencing any error message while running the above query?
Janne Kujanpää 256 Reputation points

2022-10-29T09:33:35.03+00:00

I had to add dbutils.fs.mkdirs("dbfs:/tmp") because dbfs:/tmp was missing on brand new cluster
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2022-10-31T05:41:34.127+00:00

Hello @Janne Kujanpää ,

Did you able to update the Apache Commos Text 1.10 version?
Janne Kujanpää 256 Reputation points

2022-10-31T06:31:50.787+00:00

yes, after fixing the notebook?

Any ETA for fixing the runtime itself?
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2022-11-02T10:44:03.377+00:00

Hello @Janne Kujanpää ,

We are still awaiting for the response from the internal team and will get back to you as soon as we have an update.

Share via

Azure Databricks and CVE-2022-42889

1 answer

Your answer