Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Mitigate impact of CVE-2023-47248 for Apache Beam #29392

Closed
1 task done
tvalentyn opened this issue Nov 10, 2023 · 1 comment
Closed
1 task done

[Bug]: Mitigate impact of CVE-2023-47248 for Apache Beam #29392

tvalentyn opened this issue Nov 10, 2023 · 1 comment
Assignees
@tvalentyn
Labels
bug done & done Issue has been reviewed after it was closed for verification, followups, etc. P1 python
Milestone
2.52.0 Release

Comments

@tvalentyn
Copy link
Contributor

tvalentyn commented Nov 10, 2023
edited
Loading

What happened?

There is a recently disclosed vulnerability affecting PyArrow dependency: https://nvd.nist.gov/vuln/detail/CVE-2023-47248 , which might be a matter of concern for some Beam users who read parquet files from untrusted sources.

To address this, we have applied the mitigation provided by https://pypi.org/project/pyarrow-hotfix/ in Beam 2.52.0, and will upgrade Beam to support pyarrow==14 in a future release.

Users of Beam version 2.51.0 or below who use pyarrow in their pipelines and are concerned about CVE-2023-47248, can apply the following workround:

  1. Install pyarrow-hotfix package on the workers
  2. Add import pyarrow_hotfix in the pipeline code: if the pipeline is composed only of one module, add --save_main_session pipeline option. If the pipeline is comprised of multiple files and uses --setup_file, add the import in the pipeline package files, for example in the __init__.py file.

Issue Priority

Priority: 1 (major)

Issue Components

  • Component: Python SDK
@github-actions github-actions bot added the P3 label Nov 10, 2023
@tvalentyn tvalentyn added this to the 2.52.0 Release milestone Nov 10, 2023
@tvalentyn tvalentyn self-assigned this Nov 10, 2023
@tvalentyn tvalentyn mentioned this issue Nov 10, 2023
Merged
@tvalentyn
Copy link
Contributor Author

tvalentyn commented Nov 15, 2023
edited
Loading

Beam 2.52.0 has the mitigation, remaining AIs are tracked in #28410.

@damccorm damccorm added the done & done Issue has been reviewed after it was closed for verification, followups, etc. label Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvalentyn tvalentyn

Labels
bug done & done Issue has been reviewed after it was closed for verification, followups, etc. P1 python
Projects
None yet
Milestone
2.52.0 Release
Development

No branches or pull requests
2 participants
@tvalentyn @damccorm