CVE-2018-11770

Name of the Vulnerable Software and Affected Versions Apache Spark versions 1.3.0 and later

Description The issue concerns Apache Spark's standalone master, which exposes a REST API for job submission without using any authentication mechanism, unlike the submission mechanism used by spark-submit. This is because the config property spark.authenticate.secret does not apply to the REST API, allowing a user to run a driver program without authenticating, although they cannot launch executors. The REST API is also utilized by Mesos in cluster mode for job submission. Future versions of Spark will enhance documentation, prohibit setting spark.authenticate.secret when running the REST APIs, and disable the REST API by default in the standalone master by changing the default value of spark.master.rest.enabled to 'false'.

Recommendations For Apache Spark versions 1.3.0 and later, consider disabling the REST API by setting spark.master.rest.enabled to 'false' until a patch is available. As a temporary workaround, restrict access to the REST API to minimize the risk of exploitation. Avoid using the spark.authenticate.secret property when running the REST API, as it does not provide authentication for REST API job submissions.