Databricks

JH · ‎04-26-2023

Here is the previous discussion.

https://community.databricks.com/s/question/0D58Y0000ACcIv2SQF/does-thrift-only-exist-in-databrick-c...

I have the following questions.

Does CVE-2020-13949 affect the data plane or not?
Do you know from which version of Databricks runtime you begin to have the patch for this vulnerability? Or is it confirmed that the patch for this vulnerability is included in Databricks runtime 10.4 LTS?

Thanks.

Anonymous · ‎04-28-2023

@Jimin Hsieh :

CVE-2020-13949 is a vulnerability in the Apache Thrift library, which is used in the Databricks control plane to manage clusters and other resources. Therefore, it does not directly affect the data plane of Databricks clusters. However, as a security vulnerability in a component used by the control plane, it could potentially be used to compromise the security of the entire Databricks environment if left unpatched.

Databricks has released patches for this vulnerability and recommends that users update to a version that includes the patch. The patch is included in Databricks Runtime 7.3 and later versions. It is not clear whether the patch is included in Databricks Runtime 10.4 LTS specifically, as the LTS versions may have additional backported security fixes. I recommend reaching out to Databricks support to confirm the patch status for your specific use case.

View solution in original post

Anonymous · ‎04-28-2023

@Jimin Hsieh :

CVE-2020-13949 is a vulnerability in the Apache Thrift library, which is used in the Databricks control plane to manage clusters and other resources. Therefore, it does not directly affect the data plane of Databricks clusters. However, as a security vulnerability in a component used by the control plane, it could potentially be used to compromise the security of the entire Databricks environment if left unpatched.

Databricks has released patches for this vulnerability and recommends that users update to a version that includes the patch. The patch is included in Databricks Runtime 7.3 and later versions. It is not clear whether the patch is included in Databricks Runtime 10.4 LTS specifically, as the LTS versions may have additional backported security fixes. I recommend reaching out to Databricks support to confirm the patch status for your specific use case.

Anonymous · ‎04-30-2023

Hi @Jimin Hsieh

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you.

Cheers!

Databricks

Does CVE-2020-13949 (vulnerability) affect the data plane and its security patch is included in Databricks 10.4 LTS?

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs