CVE-2017-12612

Name of the Vulnerable Software and Affected Versions Apache Spark versions 1.6.0 through 2.1.1

Description The launcher API in Apache Spark performs unsafe deserialization of data received by its socket, making applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. This issue does not affect applications run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application.

Recommendations For Apache Spark versions 1.6.0 through 2.1.1, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the launcher API to minimize the risk of exploitation.