This is an automated email from the ASF dual-hosted git repository.
srowen pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 18cbd9e65 CVE-2022-33891 details
18cbd9e65 is described below
commit 18cbd9e65912aac3a19251403061c45a35b4e391
Author: Sean Owen <sro...@gmail.com>
AuthorDate: Sun Jul 17 19:08:14 2022 -0500
CVE-2022-33891 details
Author: Sean Owen <sro...@gmail.com>
Closes #406 from srowen/CVE-2022-33891.
---
security.md | 30 ++++++++++++++++++++++++++++++
site/security.html | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+)
diff --git a/security.md b/security.md
index 32bbb745c..0fb077b05 100644
--- a/security.md
+++ b/security.md
@@ -18,6 +18,36 @@ non-public list that will reach the Apache Security team, as
well as the Spark P
<h2>Known security issues</h2>
+<h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection
vulnerability via Spark UI</h3>
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- 3.0.3 and earlier
+- 3.1.1 to 3.1.2
+- 3.2.0 to 3.2.1
+
+Description:
+
+The Apache Spark UI offers the possibility to enable ACLs via the
configuration option spark.acls.enable.
+With an authentication filter, this checks whether a user has access
permissions to view or modify the application.
+If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to
perform impersonation by providing an
+arbitrary user name. A malicious user might then be able to reach a permission
check function that will ultimately
+build a Unix shell command based on their input, and execute it. This will
result in arbitrary shell command
+execution as the user Spark is currently running as.
+
+Mitigation
+
+- Update to Spark 3.1.3, 3.2.2, or 3.3.0 or later
+
+Credit:
+
+- Kostya Torchinsky (Databricks)
+
+
<h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span
class="tm">™</span> Key Negotiation Vulnerability</h3>
Severity: Medium
diff --git a/site/security.html b/site/security.html
index 3ee2b8ab4..d750bd0c0 100644
--- a/site/security.html
+++ b/site/security.html
@@ -133,6 +133,41 @@ non-public list that will reach the Apache Security team,
as well as the Spark P
<h2>Known security issues</h2>
+<h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection
vulnerability via Spark UI</h3>
+
+<p>Severity: Important</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<ul>
+ <li>3.0.3 and earlier</li>
+ <li>3.1.1 to 3.1.2</li>
+ <li>3.2.0 to 3.2.1</li>
+</ul>
+
+<p>Description:</p>
+
+<p>The Apache Spark UI offers the possibility to enable ACLs via the
configuration option spark.acls.enable.
+With an authentication filter, this checks whether a user has access
permissions to view or modify the application.
+If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to
perform impersonation by providing an
+arbitrary user name. A malicious user might then be able to reach a permission
check function that will ultimately
+build a Unix shell command based on their input, and execute it. This will
result in arbitrary shell command
+execution as the user Spark is currently running as.</p>
+
+<p>Mitigation</p>
+
+<ul>
+ <li>Update to Spark 3.1.3, 3.2.2, or 3.3.0 or later</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+ <li>Kostya Torchinsky (Databricks)</li>
+</ul>
+
<h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span
class="tm">™</span> Key Negotiation Vulnerability</h3>
<p>Severity: Medium</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org
