Hideyuki Furue

**Name of the Vulnerable Software and Affected Versions** Apache Spark versions prior to 3.4.0 **Description** The issue is related to insecure privilege management in the spark-submit function of Apache Spark. This allows an application to execute code with the privileges of the submitting user by providing malicious configuration-related classes on the classpath. Architectures relying on proxy-user, such as those using Apache Livy to manage submitted applications, are affected. **Recommendations** Update to Apache Spark 3.4.0 or later, and ensure that `spark.submit.proxyUser.allowCustomClasspathInClusterMode` is set to its default of "false", and is not overridden by submitted applications.

**Name of the Vulnerable Software and Affected Versions** Apache Hive versions prior to 3.1.3 **Description** The issue arises from the lack of necessary authorization checks for involved entities in the query during `CREATE` and `DROP` function operations. This allows an unauthorized user to manipulate an existing UDF without proper privileges, enabling them to drop and recreate UDFs that point to potentially malicious jars. **Recommendations** For versions prior to 3.1.3, update to version 3.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `CREATE` and `DROP` function operations to authorized users only, and monitor UDF manipulations closely to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Hadoop versions 2.2.0 through 2.10.1 Apache Hadoop versions 3.0.0-alpha1 through 3.1.4 Apache Hadoop versions 3.2.0 through 3.2.2 Apache Hadoop versions 3.3.0 through 3.3.1 **Description** A user who can escalate to yarn user can possibly run arbitrary commands as root user. **Recommendations** For Apache Hadoop versions 2.2.0 through 2.10.1, upgrade to Apache Hadoop 2.10.2 or higher. For Apache Hadoop versions 3.0.0-alpha1 through 3.1.4, upgrade to Apache Hadoop 3.2.3 or higher. For Apache Hadoop versions 3.2.0 through 3.2.2, upgrade to Apache Hadoop 3.2.3 or higher. For Apache Hadoop versions 3.3.0 through 3.3.1, upgrade to Apache Hadoop 3.3.2 or higher.