June 9, 2025
This release (1.23.1-H3) of the Cloudera Data Engineering service on Cloudera on cloud introduces the following changes.
This release does not contain new features, but includes a fix for Apache Parquet CVE-2025-30065.
Apache Parquet CVE-2025-30065 details
CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.
CVE: NVD - CVE-2025-30065
Severity (Critical): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
For the latest update on this issue, see the corresponding Knowledge article: Cloudera Customer Advisory 2025-847: Cloudera's remediation actions for Apache Parquet CVE-2025-30065.
Spark images affected by Apache Parquet CVE-2025-30065 in 1.23.1-h2
The following Apache Spark images are affected by the Apache Parquet CVE:
- Spark 3.2.x
- Image Name:- dex-livy-runtime-3.2.3-7.2.15.8:1.23.1-h2-b3
- dex-spark-runtime-3.2.3-7.2.15.8:1.23.1-h2-b3
- dex-livy-server-3.2.3-7.2.15.8:1.23.1-h2-b3
 
- Spark 3.3.x
- Image Name:- dex-livy-server-3.3.0-7.2.16.200:1.23.1-h2-b3
- dex-spark-runtime-3.3.0-7.2.16.200:1.23.1-h2-b3
- dex-livy-runtime-3.3.0-7.2.16.200:1.23.1-h2-b3
 
- Spark 3.5.x
- Image Name:- dex-livy-runtime-3.5.1-7.2.18.0:1.23.1-h2-b3
- dex-spark-runtime-3.5.1-7.2.18.0:1.23.1-h2-b3
- dex-livy-server-3.5.1-7.2.18.0:1.23.1-h2-b3
 
Spark images not affected by Apache Parquet CVE-2025-30065
- Spark 2.x
- Spark 2.x images are not affected by the Parquet CVE.
The Spark History server image for Cloudera Data Engineering 1.23.1 or lower versions does not include the shaded parquet jars.
Script incorporating the Parquet fixes
Go to the Cloudera Data Engineering section of Cloudera Customer Advisory 2025-847: Cloudera's remediation actions for Apache Parquet CVE-2025-30065 and follow the procedure described there. The script updates the Spark Runtime, Livy Runtime, and Livy Server with the updated images that incorporate the Parquet fixes.
