Correct: as per the code below from SecurityManager.scala, if acls aren't enabled, we skip the vulnerable code path (getCurrentUserGroups)
private def isUserInACL( user: String, aclUsers: Set[String], aclGroups: Set[String]): Boolean = { if (user == null || !aclsEnabled || aclUsers.contains(WILDCARD_ACL) || aclUsers.contains(user) || aclGroups.contains(WILDCARD_ACL)) { true } else { val userGroups = Utils.getCurrentUserGroups(sparkConf, user) logDebug(s"user $user is in groups ${userGroups.mkString(",")}") aclGroups.exists(userGroups.contains(_)) } } On Mon, Nov 21, 2022 at 1:17 PM Sean Owen <sro...@gmail.com> wrote: > CCing Kostya for a better view, but I believe that this will not be an > issue if you're not using the ACLs in Spark, yes. > > On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio <apompo...@perforce.com> > wrote: > >> I am using Spark 2.3.0 and trying to mitigate >> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do >> is to update. However, I am told this is not happening. Thus, I am trying >> to determine if the following are set: >> >> >> spark.acls.enable false >> >> spark.history.ui.acls.enable false >> >> >> These are 100% set in the config. I checked the config for weird >> whitespace issues in a hex editor. Nonetheless, the config does not show up >> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I >> can see this: >> >> >> >> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at >> position >> >> >> >> I am not able to find this in VisualVM or MAT to determine what that is >> set to. Any thoughts? >> >> >> >> >> >> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic >> <https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>* >> >> Perforce Software >> <http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> >> >> P: +1 612.517.2100 >> >> Visit us on: LinkedIn >> <https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> >> | Twitter >> <https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> >> | Facebook >> <https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> >> | YouTube >> <https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> >> >> >> >> *Use our new Community portal to submit/track support cases! >> <https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>* >> >> >> >> This e-mail may contain information that is privileged or confidential. >> If you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >> >>