This is an automated email from the ASF dual-hosted git repository.
srowen pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 28acafb092 Add CVE-2023-22946
28acafb092 is described below
commit 28acafb0929be2f9aef1fa09c0683566b057bba8
Author: Sean Owen <sro...@gmail.com>
AuthorDate: Sat Apr 15 08:29:48 2023 -0500
Add CVE-2023-22946
---
security.md | 29 +++++++++++++++++++++++++++++
site/security.html | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 63 insertions(+)
diff --git a/security.md b/security.md
index 5147a7e915..805e400fa4 100644
--- a/security.md
+++ b/security.md
@@ -18,6 +18,35 @@ non-public list that will reach the Apache Security team, as
well as the Spark P
<h2>Known security issues</h2>
+<h3 id="CVE-2023-22946">CVE-2023-22946: Apache Spark proxy-user privilege
escalation from malicious configuration class</h3>
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Versions prior to 3.4.0
+
+Description:
+
+In Apache Spark versions prior to 3.4.0, applications using spark-submit can
specify a 'proxy-user' to run as,
+limiting privileges. The application can execute code with the privileges of
the submitting user, however, by
+providing malicious configuration-related classes on the classpath. This
affects architectures relying on
+proxy-user, for example those using Apache Livy to manage submitted
applications.
+
+This issue is being tracked as SPARK-41958
+
+Mitigation:
+
+- Update to Apache Spark 3.4.0 or later, and ensure that
`spark.submit.proxyUser.allowCustomClasspathInClusterMode` is set to its
default of "false", and is not overridden by submitted applications.
+
+Credit:
+
+- Hideyuki Furue (finder)
+- Yi Wu (Databricks) (remediation developer)
+
+
<h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log
viewer UI Javascript</h3>
Severity: Medium
diff --git a/site/security.html b/site/security.html
index 1c3128a493..57b3def5b5 100644
--- a/site/security.html
+++ b/site/security.html
@@ -133,6 +133,40 @@ non-public list that will reach the Apache Security team,
as well as the Spark P
<h2>Known security issues</h2>
+<h3 id="CVE-2023-22946">CVE-2023-22946: Apache Spark proxy-user privilege
escalation from malicious configuration class</h3>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<ul>
+ <li>Versions prior to 3.4.0</li>
+</ul>
+
+<p>Description:</p>
+
+<p>In Apache Spark versions prior to 3.4.0, applications using spark-submit
can specify a ‘proxy-user’ to run as,
+limiting privileges. The application can execute code with the privileges of
the submitting user, however, by
+providing malicious configuration-related classes on the classpath. This
affects architectures relying on
+proxy-user, for example those using Apache Livy to manage submitted
applications.</p>
+
+<p>This issue is being tracked as SPARK-41958</p>
+
+<p>Mitigation:</p>
+
+<ul>
+ <li>Update to Apache Spark 3.4.0 or later, and ensure that <code
class="language-plaintext
highlighter-rouge">spark.submit.proxyUser.allowCustomClasspathInClusterMode</code>
is set to its default of “false”, and is not overridden by
submitted applications.</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+ <li>Hideyuki Furue (finder)</li>
+ <li>Yi Wu (Databricks) (remediation developer)</li>
+</ul>
+
<h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log
viewer UI Javascript</h3>
<p>Severity: Medium</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org
