CVE-2024-39928 – Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability
https://notcve.org/view.php?id=CVE-2024-39928
In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue. • https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw • CWE-326: Inadequate Encryption Strength •
CVE-2023-40195 – Apache Airflow Spark Provider Deserialization Vulnerability RCE
https://notcve.org/view.php?id=CVE-2023-40195
Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users. To view the warning in the docs please visit https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html • https://github.com/apache/airflow/pull/33233 https://lists.apache.org/thread/fzy95b1d6zv31j5wrx3znhzcscck2o24 • CWE-502: Deserialization of Untrusted Data CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVE-2023-40272 – Apache Airflow Spark Provider Arbitrary File Read via JDBC
https://notcve.org/view.php?id=CVE-2023-40272
Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected. • http://www.openwall.com/lists/oss-security/2023/08/17/1 http://www.openwall.com/lists/oss-security/2023/08/18/1 https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtqmw6k1l7 • CWE-20: Improper Input Validation •
CVE-2023-32007 – Apache Spark: Shell command injection via Spark UI
https://notcve.org/view.php?id=CVE-2023-32007
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. • http://www.openwall.com/lists/oss-security/2023/05/02/1 https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv https://spark.apache.org/security.html https://www.cve.org/CVERecord?id=CVE-2022-33891 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-22946 – Apache Spark proxy-user privilege escalation from malicious configuration class
https://notcve.org/view.php?id=CVE-2023-22946
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. • https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv • CWE-269: Improper Privilege Management •