This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push: new 18cbd9e65 CVE-2022-33891 details 18cbd9e65 is described below commit 18cbd9e65912aac3a19251403061c45a35b4e391 Author: Sean Owen <sro...@gmail.com> AuthorDate: Sun Jul 17 19:08:14 2022 -0500 CVE-2022-33891 details Author: Sean Owen <sro...@gmail.com> Closes #406 from srowen/CVE-2022-33891. --- security.md | 30 ++++++++++++++++++++++++++++++ site/security.html | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) diff --git a/security.md b/security.md index 32bbb745c..0fb077b05 100644 --- a/security.md +++ b/security.md @@ -18,6 +18,36 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI</h3> + +Severity: Important + +Vendor: The Apache Software Foundation + +Versions Affected: + +- 3.0.3 and earlier +- 3.1.1 to 3.1.2 +- 3.2.0 to 3.2.1 + +Description: + +The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. +With an authentication filter, this checks whether a user has access permissions to view or modify the application. +If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an +arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately +build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command +execution as the user Spark is currently running as. + +Mitigation + +- Update to Spark 3.1.3, 3.2.2, or 3.3.0 or later + +Credit: + +- Kostya Torchinsky (Databricks) + + <h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span class="tm">™</span> Key Negotiation Vulnerability</h3> Severity: Medium diff --git a/site/security.html b/site/security.html index 3ee2b8ab4..d750bd0c0 100644 --- a/site/security.html +++ b/site/security.html @@ -133,6 +133,41 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI</h3> + +<p>Severity: Important</p> + +<p>Vendor: The Apache Software Foundation</p> + +<p>Versions Affected:</p> + +<ul> + <li>3.0.3 and earlier</li> + <li>3.1.1 to 3.1.2</li> + <li>3.2.0 to 3.2.1</li> +</ul> + +<p>Description:</p> + +<p>The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. +With an authentication filter, this checks whether a user has access permissions to view or modify the application. +If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an +arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately +build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command +execution as the user Spark is currently running as.</p> + +<p>Mitigation</p> + +<ul> + <li>Update to Spark 3.1.3, 3.2.2, or 3.3.0 or later</li> +</ul> + +<p>Credit:</p> + +<ul> + <li>Kostya Torchinsky (Databricks)</li> +</ul> + <h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span class="tm">™</span> Key Negotiation Vulnerability</h3> <p>Severity: Medium</p> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org