cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

Does CVE-2020-13949 (vulnerability) affect the data plane and its security patch is included in Databricks 10.4 LTS?

JH
New Contributor II

Here is the previous discussion.

https://community.databricks.com/s/question/0D58Y0000ACcIv2SQF/does-thrift-only-exist-in-databrick-c...

I have the following questions.

  1. Does CVE-2020-13949 affect the data plane or not?
  2. Do you know from which version of Databricks runtime you begin to have the patch for this vulnerability? Or is it confirmed that the patch for this vulnerability is included in Databricks runtime 10.4 LTS?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Anonymous
Not applicable

@Jimin Hsieh​ :

CVE-2020-13949 is a vulnerability in the Apache Thrift library, which is used in the Databricks control plane to manage clusters and other resources. Therefore, it does not directly affect the data plane of Databricks clusters. However, as a security vulnerability in a component used by the control plane, it could potentially be used to compromise the security of the entire Databricks environment if left unpatched.

Databricks has released patches for this vulnerability and recommends that users update to a version that includes the patch. The patch is included in Databricks Runtime 7.3 and later versions. It is not clear whether the patch is included in Databricks Runtime 10.4 LTS specifically, as the LTS versions may have additional backported security fixes. I recommend reaching out to Databricks support to confirm the patch status for your specific use case.

View solution in original post

2 REPLIES 2

Anonymous
Not applicable

@Jimin Hsieh​ :

CVE-2020-13949 is a vulnerability in the Apache Thrift library, which is used in the Databricks control plane to manage clusters and other resources. Therefore, it does not directly affect the data plane of Databricks clusters. However, as a security vulnerability in a component used by the control plane, it could potentially be used to compromise the security of the entire Databricks environment if left unpatched.

Databricks has released patches for this vulnerability and recommends that users update to a version that includes the patch. The patch is included in Databricks Runtime 7.3 and later versions. It is not clear whether the patch is included in Databricks Runtime 10.4 LTS specifically, as the LTS versions may have additional backported security fixes. I recommend reaching out to Databricks support to confirm the patch status for your specific use case.

Anonymous
Not applicable

Hi @Jimin Hsieh​ 

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you. 

Cheers!

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group