CVE-2018-17190

Name of the Vulnerable Software and Affected Versions: Apache Spark versions prior to a version with authentication enabled for standalone clusters

Description: The issue is related to the standalone resource manager in Apache Spark, which can execute user code on 'worker' hosts but is not designed to execute code on the 'master' host itself. However, a specially-crafted request can cause the master to execute code, potentially affecting the confidentiality, integrity, and availability of protected information. This issue does not affect standalone clusters with authentication enabled.

Recommendations: For Apache Spark versions prior to a version with authentication enabled for standalone clusters: Enable authentication on any Spark standalone cluster that is not otherwise secured from unwanted access, for example by network-level restrictions. Use spark.authenticate and related security properties as described in the official Apache Spark security documentation.