Databricks Community

JH · ‎04-19-2023

Hi all,

I'm a user of Azure databricks. We recently found there is a thrift vulnerability issue (CVE-2020-13949) in Spark Hive. We have tried to fix it at our side. We also found there is a open issue at Spark jira board - https://issues.apache.org/jira/browse/SPARK-37090. It seems there is no way to solve it.

I'm trying to figure out does thrift usage exist in databricks control plane/cloud account or is this managed by databricks. So our team can move forward.

Thanks

Anonymous · ‎04-20-2023

@Jimin Hsieh :

Databricks control plane and cloud accounts are managed services provided by Databricks, and as such, they manage the underlying infrastructure and software stack.

Regarding the Spark Hive thrift vulnerability (CVE-2020-13949), Databricks is aware of this issue and has taken steps to mitigate it. The Databricks Runtime for Apache Spark includes a patched version of Hive that addresses this vulnerability.

However, if you are using a custom version of Spark or Hive, you may need to apply the patch yourself. In this case, I recommend contacting Databricks support for guidance on how to proceed.

It's worth noting that the open issue in Spark JIRA board (SPARK-37090) is related to upgrading Thrift to version 0.14, which should address this vulnerability. Once this issue is resolved in Spark, Databricks is likely to update their Databricks Runtime for Apache Spark to include the new version of Thrift.

In summary, if you are using the Databricks Runtime for Apache Spark, Databricks has already taken steps to address the CVE-2020-13949 vulnerability. However, if you are using a custom version of Spark or Hive, you may need to apply the patch yourself or contact Databricks support for guidance.

JH · ‎04-25-2023

Hi @Suteja Kanuri and @Vidula Khanna I have 2 remaining questions which need your confirmation.

Does CVE-2020-13949 affect data plane or not?
Do you know from which version of databricks runtime you begin to have the patch for this vulnerability? Or is it confirmed that the patch for this vulnerability is existed in databricks runtime 10.4 LTS

Thanks.

Anonymous · ‎04-27-2023

@Jimin Hsieh :

CVE-2020-13949 is a vulnerability in Apache Tomcat, which is used by Databricks for web access to the control plane. This vulnerability can allow a remote attacker to view sensitive information, modify user sessions, or execute arbitrary code on the control plane. It does not directly affect the data plane.

Databricks has released a security update to address CVE-2020-13949. The update was first included in Databricks Runtime 7.3 LTS and is also included in all subsequent LTS releases, including 10.4 LTS.

If you are using a Databricks runtime version earlier than 7.3 LTS, you should upgrade to a newer LTS release that includes the security update. Additionally, if you are running your own Apache Tomcat instances, you should ensure that they are patched or updated to address this vulnerability.

Anonymous · ‎04-23-2023

Hi @Jimin Hsieh

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you.

Cheers!