CVE-2018-11770
https://notcve.org/view.php?id=CVE-2018-11770
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. • https://github.com/ivanitlearning/CVE-2018-11770 http://www.securityfocus.com/bid/105097 https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E https://spark.apache.org/security.html#CVE-2018-11770 https://www.jianshu.com/p/a080cb323832 https://github.com/vulhub/vulhub/tree/master/spark/unacc • CWE-287: Improper Authentication •
CVE-2018-8024
https://notcve.org/view.php?id=CVE-2018-8024
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not. En Apache Spark versión 2.1.0 hasta 2.1.2, versión 2.2.0 hasta 2.2.1 y versión 2.3.0, es posible que un usuario malicioso construya una dirección URL que apunte a las páginas de información de trabajo y etapa de la Interfaz de Usuario del clúster Spark, y si un usuario puede ser engañado para que acceda a la dirección URL, puede ser usado para causar que el script se ejecute y exponga información de la vista del usuario de la IU de Spark. Mientras que algunos navegadores como las versiones recientes de Chrome y Safari son capaces de bloquear este tipo de ataque, las versiones actuales de Firefox (y posiblemente otros) no lo hacen. • https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E https://spark.apache.org/security.html#CVE-2018-8024 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-1334
https://notcve.org/view.php?id=CVE-2018-1334
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. En Apache Spark 1.0.0 a 2.1.2, 2.2.0 a 2.2.1 y 2.3.0, al emplear PySpark o SparkR, es posible que un usuario local diferente se conecte a la aplicación Spark y suplante al usuario que ejecuta la aplicación Spark. • https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E https://spark.apache.org/security.html#CVE-2018-1334 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-9159 – spark: Absolute and relative pathnames allow for unintended static file disclosure
https://notcve.org/view.php?id=CVE-2018-9159
In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark. En Spark en versiones anteriores a la 2.7.2, un atacante remoto puede leer archivos estáticos no deseados mediante varias representaciones de nombres de ruta relativos o absolutos, tal y como queda demostrado con las secuencias de URL de archivos y saltos de directorio. NOTA: este producto no está relacionado con Ignite Realtime Spark. • http://sparkjava.com/news#spark-272-released https://access.redhat.com/errata/RHSA-2018:2020 https://access.redhat.com/errata/RHSA-2018:2405 https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668 https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc https://github.com/perwendel/spark/issues/981 https://access.redhat.com/security/cve/CVE-2018-9159 https://bugzilla.redhat.com/show_bug • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-12612
https://notcve.org/view.php?id=CVE-2017-12612
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. • http://www.securityfocus.com/bid/100823 https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E • CWE-502: Deserialization of Untrusted Data •