Weichen Xu created SPARK-52122:
----------------------------------
Summary: Fix DefaultParamsReader RCE vulnerability
Key: SPARK-52122
URL: https://issues.apache.org/jira/browse/SPARK-52122
Project: Spark
Issue Type: Sub-task
Components: Connect, ML
Affects Versions: 4.1.0
Reporter: Weichen Xu
Fix DefaultParamsReader RCE vulnerability:
The metadata loading
[https://github.com/apache/spark/blob/18aebd8eb86b554e7aab38baca1e5de24df19a57/mllib/src/main/scala/org/apache/spark/ml/util/ReadWrite.scala#L565]
does not verify the class,
and then the reflection invocation
[https://github.com/apache/spark/blob/18aebd8eb86b554e7aab38baca1e5de24df19a57/mllib/src/main/scala/org/apache/spark/ml/util/ReadWrite.scala#L568]
will trigger arbitrary code execution if malicious class name is written to a
designed metadata file.
This become a security vulnerability because the code is executed in Spark
driver which might be run as ROOT permission.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
