@Jimin Hsieh :
Databricks control plane and cloud accounts are managed services provided by Databricks, and as such, they manage the underlying infrastructure and software stack.
Regarding the Spark Hive thrift vulnerability (CVE-2020-13949), Databricks is aware of this issue and has taken steps to mitigate it. The Databricks Runtime for Apache Spark includes a patched version of Hive that addresses this vulnerability.
However, if you are using a custom version of Spark or Hive, you may need to apply the patch yourself. In this case, I recommend contacting Databricks support for guidance on how to proceed.
It's worth noting that the open issue in Spark JIRA board (SPARK-37090) is related to upgrading Thrift to version 0.14, which should address this vulnerability. Once this issue is resolved in Spark, Databricks is likely to update their Databricks Runtime for Apache Spark to include the new version of Thrift.
In summary, if you are using the Databricks Runtime for Apache Spark, Databricks has already taken steps to address the CVE-2020-13949 vulnerability. However, if you are using a custom version of Spark or Hive, you may need to apply the patch yourself or contact Databricks support for guidance.