Severity: Low Vendor: The Apache Software Foundation
Versions Affected: Versions of Apache Spark before 2.2.0 Description: It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. Mitigation: Update to Apache Spark 2.2.0 or later. Example: Request: GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a-- _AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer- Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a HTTP/1.1 Excerpt from response: <div class="row-fluid">No running application with ID Content-Type: multipart/related; boundary=_AppScan --_AppScan Content-Location:foo Content-Transfer-Encoding:base64 PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+ </div> Result: In the above payload the BASE64 data decodes as: <html><script>alert("XSS")</script></html> Credit: Mike Kasper, Nicholas Marion IBM z Systems Center for Secure Engineering