You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Aditya Sharad (JIRA)" <ji...@apache.org> on 2017/05/30 15:17:05 UTC
[jira] [Comment Edited] (SPARK-20922) Unsafe deserialization in
Spark LauncherConnection
[ https://issues.apache.org/jira/browse/SPARK-20922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029455#comment-16029455 ]
Aditya Sharad edited comment on SPARK-20922 at 5/30/17 3:16 PM:
----------------------------------------------------------------
Yes, this is different from SPARK-11652, which focused on preventing a specific known gadget chain (found in Commons Collections). This issue involves the general problem of unconditionally deserializing untrusted data, and the proof-of-concept is simply an example of a gadget chain (in Commons Beanutils, and which cannot be addressed by updating the dependency) that works against the latest Spark dependencies.
I believe you are correct about the deserialization leading to code execution before the shared secret is established or checked.
Indeed, due to how the socket is opened, you must have access to the local machine to connect, but not necessarily to the same user that is running the Spark master or task.
was (Author: adityasharad):
Yes, this is different from SPARK-11652, which focused on preventing a specific known gadget chain (found in Commons Collections). This issue involves the general problem of unconditionally deserializing untrusted data, and the proof-of-concept is simply an example of a gadget chain (in Commons Beanutils, and which cannot be addressed by updating the dependency) that works against the latest Spark dependencies.
Indeed, due to how the socket is opened, you must have access to the local machine to connect, but not necessarily to the same user that is running the Spark master or task.
> Unsafe deserialization in Spark LauncherConnection
> --------------------------------------------------
>
> Key: SPARK-20922
> URL: https://issues.apache.org/jira/browse/SPARK-20922
> Project: Spark
> Issue Type: Bug
> Components: Spark Submit
> Affects Versions: 2.1.1
> Reporter: Aditya Sharad
> Labels: security
> Attachments: spark-deserialize-master.zip
>
>
> The {{run()}} method of the class {{org.apache.spark.launcher.LauncherConnection}} performs unsafe deserialization of data received by its socket. This makes Spark applications launched programmatically using the {{SparkLauncher}} framework potentially vulnerable to remote code execution by an attacker with access to any user account on the local machine. Such an attacker could send a malicious serialized Java object to multiple ports on the local machine, and if this port matches the one (randomly) chosen by the Spark launcher, the malicious object will be deserialized. By making use of gadget chains in code present on the Spark application classpath, the deserialization process can lead to RCE or privilege escalation.
> This vulnerability is identified by the “Unsafe deserialization” rule on lgtm.com:
> https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java#V58
> Attached is a proof-of-concept exploit involving a simple {{SparkLauncher}}-based application and a known gadget chain in the Apache Commons Beanutils library referenced by Spark.
> See the readme file for demonstration instructions.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org