Correct: as per the code below from SecurityManager.scala, if acls aren't
enabled, we skip the vulnerable code path (getCurrentUserGroups)
private def isUserInACL(
user: String,
aclUsers: Set[String],
aclGroups: Set[String]): Boolean = {
if (user == null ||
!aclsEnabled ||
aclUsers.contains(WILDCARD_ACL) ||
aclUsers.contains(user) ||
aclGroups.contains(WILDCARD_ACL)) {
true
} else {
val userGroups = Utils.getCurrentUserGroups(sparkConf, user)
logDebug(s"user $user is in groups ${userGroups.mkString(",")}")
aclGroups.exists(userGroups.contains(_))
}
}
On Mon, Nov 21, 2022 at 1:17 PM Sean Owen <sro...@gmail.com> wrote:
> CCing Kostya for a better view, but I believe that this will not be an
> issue if you're not using the ACLs in Spark, yes.
>
> On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio <apompo...@perforce.com>
> wrote:
>
>> I am using Spark 2.3.0 and trying to mitigate
>> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do
>> is to update. However, I am told this is not happening. Thus, I am trying
>> to determine if the following are set:
>>
>>
>> spark.acls.enable false
>>
>> spark.history.ui.acls.enable false
>>
>>
>> These are 100% set in the config. I checked the config for weird
>> whitespace issues in a hex editor. Nonetheless, the config does not show up
>> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I
>> can see this:
>>
>>
>>
>> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at
>> position
>>
>>
>>
>> I am not able to find this in VisualVM or MAT to determine what that is
>> set to. Any thoughts?
>>
>>
>>
>>
>>
>> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic
>> <https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>*
>>
>> Perforce Software
>> <http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>
>> P: +1 612.517.2100
>>
>> Visit us on: LinkedIn
>> <https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>> | Twitter
>> <https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>> | Facebook
>> <https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>> | YouTube
>> <https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>
>>
>>
>> *Use our new Community portal to submit/track support cases!
>> <https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>*
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
