Imran Rashid

**Name of the Vulnerable Software and Affected Versions** Apache Spark versions 1.3.0 and later **Description** The issue concerns Apache Spark's standalone master, which exposes a REST API for job submission without using any authentication mechanism, unlike the submission mechanism used by spark-submit. This is because the config property `spark.authenticate.secret` does not apply to the REST API, allowing a user to run a driver program without authenticating, although they cannot launch executors. The REST API is also utilized by Mesos in cluster mode for job submission. Future versions of Spark will enhance documentation, prohibit setting `spark.authenticate.secret` when running the REST APIs, and disable the REST API by default in the standalone master by changing the default value of `spark.master.rest.enabled` to 'false'. **Recommendations** For Apache Spark versions 1.3.0 and later, consider disabling the REST API by setting `spark.master.rest.enabled` to 'false' until a patch is available. As a temporary workaround, restrict access to the REST API to minimize the risk of exploitation. Avoid using the `spark.authenticate.secret` property when running the REST API, as it does not provide authentication for REST API job submissions.