Repository: spark-website Updated Branches: refs/heads/asf-site a63b5f427 -> e33a4bb7d
Add CVE-2018-11770 Project: http://git-wip-us.apache.org/repos/asf/spark-website/repo Commit: http://git-wip-us.apache.org/repos/asf/spark-website/commit/e33a4bb7 Tree: http://git-wip-us.apache.org/repos/asf/spark-website/tree/e33a4bb7 Diff: http://git-wip-us.apache.org/repos/asf/spark-website/diff/e33a4bb7 Branch: refs/heads/asf-site Commit: e33a4bb7d8bbc25bb6a7d96c8bd6c13e3b05e77b Parents: a63b5f4 Author: Sean Owen <sro...@gmail.com> Authored: Mon Aug 13 09:25:05 2018 -0500 Committer: Sean Owen <sro...@gmail.com> Committed: Mon Aug 13 09:25:05 2018 -0500 ---------------------------------------------------------------------- security.md | 62 +++++++++++++++++++++++++++++-- site/security.html | 99 +++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 138 insertions(+), 23 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/spark-website/blob/e33a4bb7/security.md ---------------------------------------------------------------------- diff --git a/security.md b/security.md index f99b9bd..19231f6 100644 --- a/security.md +++ b/security.md @@ -10,15 +10,55 @@ navigation: <h2>Reporting Security Issues</h2> Apache Spark uses the standard process outlined by the [Apache Security Team](https://www.apache.org/security/) -for reporting vulnerabilities. +for reporting vulnerabilities. Note that vulnerabilities should not be publicly disclosed until the project has +responded. To report a possible security vulnerability, please email `secur...@apache.org`. This is a non-public list that will reach the Apache Security team, as well as the Spark PMC. <h2>Known Security Issues</h2> +<h3 id="CVE-2018-11770">CVE-2018-11770: Apache Spark standalone master, Mesos REST APIs not controlled by authentication</h3> + +Severity: Medium + +Vendor: The Apache Software Foundation + +Versions Affected: + +- Spark versions from 1.3.0, running standalone master with REST API enabled, or running Mesos master with cluster mode enabled + +Description: + +From version 1.3.0 onward, Spark's standalone master exposes a REST API for job submission, in addition +to the submission mechanism used by `spark-submit`. In standalone, the config property +`spark.authenticate.secret` establishes a shared secret for authenticating requests to submit jobs via +`spark-submit`. However, the REST API does not use this or any other authentication mechanism, and this is +not adequately documented. In this case, a user would be able to run a driver program without authenticating, +but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in +cluster mode (i.e., when also running `MesosClusterDispatcher`), for job submission. Future versions of Spark +will improve documentation on these points, and prohibit setting `spark.authenticate.secret` when running +the REST APIs, to make this clear. Future versions will also disable the REST API by default in the +standalone master by changing the default value of `spark.master.rest.enabled` to `false`. + +Mitigation: + +For standalone masters, disable the REST API by setting `spark.master.rest.enabled` to `false` if it is unused, +and/or ensure that all network access to the REST API (port 6066 by default) is restricted to hosts that are +trusted to submit jobs. Mesos users can stop the `MesosClusterDispatcher`, though that will prevent them +from running jobs in cluster mode. Alternatively, they can ensure access to the `MesosRestSubmissionServer` +(port 7077 by default) is restricted to trusted hosts. + +Credit: + +- Imran Rashid, Cloudera +- Fengwei Zhang, Alibaba Cloud Security Team + + <h3 id="CVE-2018-8024">CVE-2018-8024: Apache Spark XSS vulnerability in UI</h3> +Severity: Medium + Versions Affected: - Spark versions through 2.1.2 @@ -26,6 +66,7 @@ Versions Affected: - Spark 2.3.0 Description: + In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from @@ -55,6 +96,7 @@ Versions affected: - Spark 2.3.0 Description: + In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. @@ -79,9 +121,11 @@ Severity: Medium Vendor: The Apache Software Foundation Versions Affected: -Versions of Apache Spark from 1.6.0 until 2.1.1 + +- Versions of Apache Spark from 1.6.0 until 2.1.1 Description: + In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially @@ -92,6 +136,7 @@ the Spark application. Users are encouraged to update to version 2.1.2, 2.2.0 or later. Mitigation: + Update to Apache Spark 2.1.2, 2.2.0 or later. Credit: @@ -107,15 +152,24 @@ Severity: Medium Vendor: The Apache Software Foundation Versions Affected: -Versions of Apache Spark before 2.1.2, 2.2.0 + +- Versions of Apache Spark before 2.1.2, 2.2.0 Description: -It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. + +It is possible for an attacker to take advantage of a user's trust in the server to trick them into +visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark +master, or history server. This data, which could contain a script, would then be reflected back to +the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark +itself, but on the user, who may then execute the script inadvertently when viewing elements of the +Spark web UIs. Mitigation: + Update to Apache Spark 2.1.2, 2.2.0 or later. Example: + Request: ``` http://git-wip-us.apache.org/repos/asf/spark-website/blob/e33a4bb7/site/security.html ---------------------------------------------------------------------- diff --git a/site/security.html b/site/security.html index 5bd5ea4..4e42fe7 100644 --- a/site/security.html +++ b/site/security.html @@ -203,15 +203,58 @@ <h2>Reporting Security Issues</h2> <p>Apache Spark uses the standard process outlined by the <a href="https://www.apache.org/security/">Apache Security Team</a> -for reporting vulnerabilities.</p> +for reporting vulnerabilities. Note that vulnerabilities should not be publicly disclosed until the project has +responded.</p> <p>To report a possible security vulnerability, please email <code>secur...@apache.org</code>. This is a non-public list that will reach the Apache Security team, as well as the Spark PMC.</p> <h2>Known Security Issues</h2> +<h3 id="CVE-2018-11770">CVE-2018-11770: Apache Spark standalone master, Mesos REST APIs not controlled by authentication</h3> + +<p>Severity: Medium</p> + +<p>Vendor: The Apache Software Foundation</p> + +<p>Versions Affected:</p> + +<ul> + <li>Spark versions from 1.3.0, running standalone master with REST API enabled, or running Mesos master with cluster mode enabled</li> +</ul> + +<p>Description:</p> + +<p>From version 1.3.0 onward, Spark’s standalone master exposes a REST API for job submission, in addition +to the submission mechanism used by <code>spark-submit</code>. In standalone, the config property +<code>spark.authenticate.secret</code> establishes a shared secret for authenticating requests to submit jobs via +<code>spark-submit</code>. However, the REST API does not use this or any other authentication mechanism, and this is +not adequately documented. In this case, a user would be able to run a driver program without authenticating, +but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in +cluster mode (i.e., when also running <code>MesosClusterDispatcher</code>), for job submission. Future versions of Spark +will improve documentation on these points, and prohibit setting <code>spark.authenticate.secret</code> when running +the REST APIs, to make this clear. Future versions will also disable the REST API by default in the +standalone master by changing the default value of <code>spark.master.rest.enabled</code> to <code>false</code>.</p> + +<p>Mitigation:</p> + +<p>For standalone masters, disable the REST API by setting <code>spark.master.rest.enabled</code> to <code>false</code> if it is unused, +and/or ensure that all network access to the REST API (port 6066 by default) is restricted to hosts that are +trusted to submit jobs. Mesos users can stop the <code>MesosClusterDispatcher</code>, though that will prevent them +from running jobs in cluster mode. Alternatively, they can ensure access to the <code>MesosRestSubmissionServer</code> +(port 7077 by default) is restricted to trusted hosts.</p> + +<p>Credit:</p> + +<ul> + <li>Imran Rashid, Cloudera</li> + <li>Fengwei Zhang, Alibaba Cloud Security Team</li> +</ul> + <h3 id="CVE-2018-8024">CVE-2018-8024: Apache Spark XSS vulnerability in UI</h3> +<p>Severity: Medium</p> + <p>Versions Affected:</p> <ul> @@ -220,8 +263,9 @@ non-public list that will reach the Apache Security team, as well as the Spark P <li>Spark 2.3.0</li> </ul> -<p>Description: -In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible for a malicious +<p>Description:</p> + +<p>In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible for a malicious user to construct a URL pointing to a Spark cluster’s UI’s job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user’s view of the Spark UI. While some browsers like recent versions of Chrome and Safari are @@ -255,8 +299,9 @@ able to block this type of attack, current versions of Firefox (and possibly oth <li>Spark 2.3.0</li> </ul> -<p>Description: -In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, +<p>Description:</p> + +<p>In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it’s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.</p> @@ -283,11 +328,15 @@ user running the Spark application.</p> <p>Vendor: The Apache Software Foundation</p> -<p>Versions Affected: -Versions of Apache Spark from 1.6.0 until 2.1.1</p> +<p>Versions Affected:</p> + +<ul> + <li>Versions of Apache Spark from 1.6.0 until 2.1.1</li> +</ul> -<p>Description: -In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe +<p>Description:</p> + +<p>In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user @@ -296,8 +345,9 @@ spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.1.2, 2.2.0 or later.</p> -<p>Mitigation: -Update to Apache Spark 2.1.2, 2.2.0 or later.</p> +<p>Mitigation:</p> + +<p>Update to Apache Spark 2.1.2, 2.2.0 or later.</p> <p>Credit:</p> @@ -313,17 +363,28 @@ Update to Apache Spark 2.1.2, 2.2.0 or later.</p> <p>Vendor: The Apache Software Foundation</p> -<p>Versions Affected: -Versions of Apache Spark before 2.1.2, 2.2.0</p> +<p>Versions Affected:</p> + +<ul> + <li>Versions of Apache Spark before 2.1.2, 2.2.0</li> +</ul> + +<p>Description:</p> + +<p>It is possible for an attacker to take advantage of a user’s trust in the server to trick them into +visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark +master, or history server. This data, which could contain a script, would then be reflected back to +the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark +itself, but on the user, who may then execute the script inadvertently when viewing elements of the +Spark web UIs.</p> + +<p>Mitigation:</p> -<p>Description: -It is possible for an attacker to take advantage of a user’s trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.</p> +<p>Update to Apache Spark 2.1.2, 2.2.0 or later.</p> -<p>Mitigation: -Update to Apache Spark 2.1.2, 2.2.0 or later.</p> +<p>Example:</p> -<p>Example: -Request:</p> +<p>Request:</p> <pre><code>GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a-- _AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer- --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org