This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push: new 28acafb092 Add CVE-2023-22946 28acafb092 is described below commit 28acafb0929be2f9aef1fa09c0683566b057bba8 Author: Sean Owen <sro...@gmail.com> AuthorDate: Sat Apr 15 08:29:48 2023 -0500 Add CVE-2023-22946 --- security.md | 29 +++++++++++++++++++++++++++++ site/security.html | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/security.md b/security.md index 5147a7e915..805e400fa4 100644 --- a/security.md +++ b/security.md @@ -18,6 +18,35 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2023-22946">CVE-2023-22946: Apache Spark proxy-user privilege escalation from malicious configuration class</h3> + +Severity: Medium + +Vendor: The Apache Software Foundation + +Versions Affected: + +- Versions prior to 3.4.0 + +Description: + +In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, +limiting privileges. The application can execute code with the privileges of the submitting user, however, by +providing malicious configuration-related classes on the classpath. This affects architectures relying on +proxy-user, for example those using Apache Livy to manage submitted applications. + +This issue is being tracked as SPARK-41958 + +Mitigation: + +- Update to Apache Spark 3.4.0 or later, and ensure that `spark.submit.proxyUser.allowCustomClasspathInClusterMode` is set to its default of "false", and is not overridden by submitted applications. + +Credit: + +- Hideyuki Furue (finder) +- Yi Wu (Databricks) (remediation developer) + + <h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript</h3> Severity: Medium diff --git a/site/security.html b/site/security.html index 1c3128a493..57b3def5b5 100644 --- a/site/security.html +++ b/site/security.html @@ -133,6 +133,40 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2023-22946">CVE-2023-22946: Apache Spark proxy-user privilege escalation from malicious configuration class</h3> + +<p>Severity: Medium</p> + +<p>Vendor: The Apache Software Foundation</p> + +<p>Versions Affected:</p> + +<ul> + <li>Versions prior to 3.4.0</li> +</ul> + +<p>Description:</p> + +<p>In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a ‘proxy-user’ to run as, +limiting privileges. The application can execute code with the privileges of the submitting user, however, by +providing malicious configuration-related classes on the classpath. This affects architectures relying on +proxy-user, for example those using Apache Livy to manage submitted applications.</p> + +<p>This issue is being tracked as SPARK-41958</p> + +<p>Mitigation:</p> + +<ul> + <li>Update to Apache Spark 3.4.0 or later, and ensure that <code class="language-plaintext highlighter-rouge">spark.submit.proxyUser.allowCustomClasspathInClusterMode</code> is set to its default of “false”, and is not overridden by submitted applications.</li> +</ul> + +<p>Credit:</p> + +<ul> + <li>Hideyuki Furue (finder)</li> + <li>Yi Wu (Databricks) (remediation developer)</li> +</ul> + <h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript</h3> <p>Severity: Medium</p> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org