[
https://issues.apache.org/jira/browse/SPARK-50239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zijie updated SPARK-50239:
--------------------------
Description:
First, we need to obtain regular user privileges and construct a JAR file
according to custom rules.When yarn submits a task, I put a command-injection
string on a parameter named "spark.executor.extraJavaOptions", it's about
"\'touch\$IFS/tmp/czjtest\'"
There are two ways to submit parameters:
# Using command lines:spark-submit --class JavaWordCount --master yarn
--deploy-mode client --conf
spark.executor.extraJavaOptions="\`touch\$IFS/tmp/czjtest\`" test.jar
# Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions",
"`touch$IFS/tmp/czjtest`");
*We may find command-injection logs in hadoop.*
I found the vulnerability exposed in file `ExexcutorRunnable.scale`:
{code:java}
//Set extra Java options for the executor, if defined
sparkConf.get(EXECUTOR_JAVA_OPTIONS).foreach{ opt => val
subsOpt = Utils.subtitudeAppNExecIds(opts, appId, executorId) javaOpts ++=
Utils.splitCommandString(subsOpt).map(YarnSparkHadopUtil.escapeForShell)
}
{code}
CVSS score: 8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
In the directory {{{}Bigdata/common/runtime/security{}}}, there are security
configurations, and the {{krb5.conf}} file is readable by the {{{}ldapuser{}}},
with the key location accessible.
In {{{}Bigdata/FusionInsight_Current/1_5_DataNode/install/hadoop{}}}, the
{{ldapuser}} has read and execute permissions, allowing the execution of
commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/etc{}}}, the {{ldapuser}}
has read permissions, and there are business configurations present.
In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/install/hadoop{}}}, the
{{ldapuser}} has read and execute permissions, allowing the execution of
commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
In {{{}Bigdata/FusionInsight_Current/1_8_RegionServer{}}}, the {{ldapuser}} has
read permissions on a few files, and there are business configurations present.
was:
First, we need to obtain regular user privileges and construct a JAR file
according to custom rules.When yarn submits a task, I put a command-injection
string on a parameter named "spark.executor.extraJavaOptions", it's about
"\'touch\$IFS/tmp/zzz123\'"
There are two ways to submit parameters:
# Using command lines:spark-submit --class JavaWordCount --master yarn
--deploy-mode client --conf
spark.executor.extraJavaOptions="\`touch\$IFS/tmp/czjtest\`" test.jar
# Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions",
"`touch$IFS/tmp/czjtest`");
*We may find command-injection logs in hadoop.*
I found the vulnerability exposed in file `ExexcutorRunnable.scale`:
{code:java}
//Set extra Java options for the executor, if defined
sparkConf.get(EXECUTOR_JAVA_OPTIONS).foreach{ opt => val
subsOpt = Utils.subtitudeAppNExecIds(opts, appId, executorId) javaOpts ++=
Utils.splitCommandString(subsOpt).map(YarnSparkHadopUtil.escapeForShell)
}
{code}
CVSS score: 8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
In the directory {{{}Bigdata/common/runtime/security{}}}, there are security
configurations, and the {{krb5.conf}} file is readable by the {{{}ldapuser{}}},
with the key location accessible.
In {{{}Bigdata/FusionInsight_Current/1_5_DataNode/install/hadoop{}}}, the
{{ldapuser}} has read and execute permissions, allowing the execution of
commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/etc{}}}, the {{ldapuser}}
has read permissions, and there are business configurations present.
In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/install/hadoop{}}}, the
{{ldapuser}} has read and execute permissions, allowing the execution of
commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
In {{{}Bigdata/FusionInsight_Current/1_8_RegionServer{}}}, the {{ldapuser}} has
read permissions on a few files, and there are business configurations present.
> JavaOptions Injection Issue
> ---------------------------
>
> Key: SPARK-50239
> URL: https://issues.apache.org/jira/browse/SPARK-50239
> Project: Spark
> Issue Type: Improvement
> Components: Spark Submit, YARN
> Affects Versions: 3.5.1
> Reporter: Zijie
> Priority: Major
>
> First, we need to obtain regular user privileges and construct a JAR file
> according to custom rules.When yarn submits a task, I put a command-injection
> string on a parameter named "spark.executor.extraJavaOptions", it's about
> "\'touch\$IFS/tmp/czjtest\'"
> There are two ways to submit parameters:
> # Using command lines:spark-submit --class JavaWordCount --master yarn
> --deploy-mode client --conf
> spark.executor.extraJavaOptions="\`touch\$IFS/tmp/czjtest\`" test.jar
> # Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions",
> "`touch$IFS/tmp/czjtest`");
> *We may find command-injection logs in hadoop.*
> I found the vulnerability exposed in file `ExexcutorRunnable.scale`:
>
> {code:java}
> //Set extra Java options for the executor, if defined
> sparkConf.get(EXECUTOR_JAVA_OPTIONS).foreach{ opt => val
> subsOpt = Utils.subtitudeAppNExecIds(opts, appId, executorId) javaOpts ++=
> Utils.splitCommandString(subsOpt).map(YarnSparkHadopUtil.escapeForShell)
> }
> {code}
> CVSS score: 8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
> In the directory {{{}Bigdata/common/runtime/security{}}}, there are security
> configurations, and the {{krb5.conf}} file is readable by the
> {{{}ldapuser{}}}, with the key location accessible.
> In {{{}Bigdata/FusionInsight_Current/1_5_DataNode/install/hadoop{}}}, the
> {{ldapuser}} has read and execute permissions, allowing the execution of
> commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
> In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/etc{}}}, the
> {{ldapuser}} has read permissions, and there are business configurations
> present.
> In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/install/hadoop{}}}, the
> {{ldapuser}} has read and execute permissions, allowing the execution of
> commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
> In {{{}Bigdata/FusionInsight_Current/1_8_RegionServer{}}}, the {{ldapuser}}
> has read permissions on a few files, and there are business configurations
> present.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
