cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Databricks-jdbc and vulnerabilities CVE-2021-36090 CVE-2023-6378 CVE-2023-6481

karthik-kobai
New Contributor II

‎02-06-2024 11:18 AM

The latest version of Databricks-jdbc available through Maven (2.6.36) now has these three vulnerabilities:

https://www.cve.org/CVERecord?id=CVE-2021-36090
https://www.cve.org/CVERecord?id=CVE-2023-6378
https://www.cve.org/CVERecord?id=CVE-2023-6481

All due to depending on and including in the jar the older versions of the below jar dependencies

org.apache.commons:commons-compress@1.20
ch.qos.logback:logback-classic@1.2.3
ch.qos.logback:logback-core@1.2.3

Is there a possibility to have a new updated version of Databricks-jdbc that uses the latest of these dependent jars?

org.apache.commons:commons-compress@1.25
ch.qos.logback:logback-classic@1.2.13 or @1.4.14
ch.qos.logback:logback-core@1.2.13 or @1.4.14

0 Kudos
1 REPLY 1

Kaniz
Community Manager
Community Manager

‎02-14-2024 02:09 AM

Hi @karthik-kobai

Thank you for bringing this to my attention! Let’s address the vulnerabilities in the Databricks JDBC driver.

The current version of the Databricks JDBC driver you mentioned is 2.6.361. It appears that this version has dependencies on older libraries, which have known vulnerabilities. Specifically:

  1. org.apache.commons:commons-compress@1.20
  2. ch.qos.logback:logback-classic@1.2.3
  3. ch.qos.logback:logback-core@1.2.3

To mitigate these vulnerabilities, you can consider the following steps:

  1. Check for Updates: First, verify if there is a newer version of the Databricks JDBC driver available. Databricks typically supports each driver version for at least 2 years1. You can visit the Databricks JDBC Drivers Download page to find the latest version.

  2. Replace Default Libraries: If a newer version is not available, you can manually replace the default libraries with updated versions. Databricks allows you to replace any of these libraries by using a cluster-scoped init script. Remove the default library jar and install the specific versions you require2.

  3. Specific Versions for Dependencies:

Remember to thoroughly test the updated configuration to ensure compatibility with your use case. Stay vigilant about security and keep your dependencies up-to-date! 🛡

 
0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.