PT-2017-12600 · Apache · Apache Spark
Published
2017-09-13
·
Updated
2018-11-09
·
CVE-2017-12612
CVSS v4.0
8.5
High
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Apache Spark versions 1.6.0 through 2.1.1
Description
The launcher API in Apache Spark performs unsafe deserialization of data received by its socket, making applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. This issue does not affect applications run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application.
Recommendations
For Apache Spark versions 1.6.0 through 2.1.1, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the launcher API to minimize the risk of exploitation.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Spark