I received some questions about what the exact change was which fixed the issue, and the PMC decided to post info in jira to make it easier for the community to track. The relevant details are all on
https://issues.apache.org/jira/browse/SPARK-26802 On Mon, Jan 28, 2019 at 1:08 PM Imran Rashid <iras...@apache.org> wrote: > Severity: Important > > Vendor: The Apache Software Foundation > > Versions affected: > All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions > Spark 2.2.0 to 2.2.2 > Spark 2.3.0 to 2.3.1 > > Description: > When using PySpark , it's possible for a different local user to connect > to the Spark application and impersonate the user running the Spark > application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and > 2.3.0 to 2.3.1. > > Mitigation: > 1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer > 2.3.x users should upgrade to 2.3.2 or newer > Otherwise, affected users should avoid using PySpark in multi-user > environments. > > Credit: > This issue was reported by Luca Canali and Jose Carlos Luna Duran from > CERN. > > References: > https://spark.apache.org/security.html >
