cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Does thrift only exist in databrick control plane?

JH
New Contributor II

Hi all,

I'm a user of Azure databricks. We recently found there is a thrift vulnerability issue (CVE-2020-13949) in Spark Hive. We have tried to fix it at our side. We also found there is a open issue at Spark jira board - https://issues.apache.org/jira/browse/SPARK-37090. It seems there is no way to solve it.

I'm trying to figure out does thrift usage exist in databricks control plane/cloud account or is this managed by databricks. So our team can move forward.

Thanks

5 REPLIES 5

Anonymous
Not applicable

@Jimin Hsieh​ :

Databricks control plane and cloud accounts are managed services provided by Databricks, and as such, they manage the underlying infrastructure and software stack.

Regarding the Spark Hive thrift vulnerability (CVE-2020-13949), Databricks is aware of this issue and has taken steps to mitigate it. The Databricks Runtime for Apache Spark includes a patched version of Hive that addresses this vulnerability.

However, if you are using a custom version of Spark or Hive, you may need to apply the patch yourself. In this case, I recommend contacting Databricks support for guidance on how to proceed.

It's worth noting that the open issue in Spark JIRA board (SPARK-37090) is related to upgrading Thrift to version 0.14, which should address this vulnerability. Once this issue is resolved in Spark, Databricks is likely to update their Databricks Runtime for Apache Spark to include the new version of Thrift.

In summary, if you are using the Databricks Runtime for Apache Spark, Databricks has already taken steps to address the CVE-2020-13949 vulnerability. However, if you are using a custom version of Spark or Hive, you may need to apply the patch yourself or contact Databricks support for guidance.

JH
New Contributor II

Hi @Suteja Kanuri​ and @Vidula Khanna​  I have 2 remaining questions which need your confirmation.

  1. Does CVE-2020-13949 affect data plane or not?
  2. Do you know from which version of databricks runtime you begin to have the patch for this vulnerability? Or is it confirmed that the patch for this vulnerability is existed in databricks runtime 10.4 LTS

Thanks.

Anonymous
Not applicable

@Jimin Hsieh​ :

CVE-2020-13949 is a vulnerability in Apache Tomcat, which is used by Databricks for web access to the control plane. This vulnerability can allow a remote attacker to view sensitive information, modify user sessions, or execute arbitrary code on the control plane. It does not directly affect the data plane.

Databricks has released a security update to address CVE-2020-13949. The update was first included in Databricks Runtime 7.3 LTS and is also included in all subsequent LTS releases, including 10.4 LTS.

If you are using a Databricks runtime version earlier than 7.3 LTS, you should upgrade to a newer LTS release that includes the security update. Additionally, if you are running your own Apache Tomcat instances, you should ensure that they are patched or updated to address this vulnerability.

Anonymous
Not applicable

Hi @Jimin Hsieh​ 

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you. 

Cheers!

JH
New Contributor II

Done.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group