IBM Security Bulletin: Vulnerability in dependent component distributed in IBM Development Package for Apache Spark (CVE-2015-1832)
Apache Derby versions up to 10.12.1.1 may be susceptible to an XML external entity (XXE) attack. Hive’s metastore, where created, requires Derby when Apache Hadoop data sources are used with Apache Spark. Apache Derby is therefore included in the IBM Development Package for Apache Spark.
CVE(s): CVE-2015-1832
Affected product(s) and affected version(s):
IBM Development Package for Apache Spark 1.6.2.0 and earlier releases.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2bVm6NW
X-Force Database: http://ift.tt/2bWzdnb
from IBM Product Security Incident Response Team http://ift.tt/2bVj1he