You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@spark.apache.org by Andrew Pomponio <AP...@perforce.com> on 2022/11/21 20:37:36 UTC
CVE-2022-33891 mitigation
I am using Spark 2.3.0 and trying to mitigate https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do is to update. However, I am told this is not happening. Thus, I am trying to determine if the following are set:
spark.acls.enable false
spark.history.ui.acls.enable false
These are 100% set in the config. I checked the config for weird whitespace issues in a hex editor. Nonetheless, the config does not show up in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I can see this:
V is abstract���spark.acls.enable1�0invalid end of optional part at position
I am not able to find this in VisualVM or MAT to determine what that is set to. Any thoughts?
Andrew Pomponio | Associate Enterprise Architect, OpenLogic<https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>
Perforce Software<http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
P: +1 612.517.2100 <tel:>
Visit us on: LinkedIn<https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> | Twitter<https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> | Facebook<https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> | YouTube<https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
Use our new Community portal to submit/track support cases!<https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.
Re: CVE-2022-33891 mitigation
Posted by Kostya Kortchinsky <ko...@databricks.com.INVALID>.
Correct: as per the code below from SecurityManager.scala, if acls aren't
enabled, we skip the vulnerable code path (getCurrentUserGroups)
private def isUserInACL(
user: String,
aclUsers: Set[String],
aclGroups: Set[String]): Boolean = {
if (user == null ||
!aclsEnabled ||
aclUsers.contains(WILDCARD_ACL) ||
aclUsers.contains(user) ||
aclGroups.contains(WILDCARD_ACL)) {
true
} else {
val userGroups = Utils.getCurrentUserGroups(sparkConf, user)
logDebug(s"user $user is in groups ${userGroups.mkString(",")}")
aclGroups.exists(userGroups.contains(_))
}
}
On Mon, Nov 21, 2022 at 1:17 PM Sean Owen <sr...@gmail.com> wrote:
> CCing Kostya for a better view, but I believe that this will not be an
> issue if you're not using the ACLs in Spark, yes.
>
> On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio <AP...@perforce.com>
> wrote:
>
>> I am using Spark 2.3.0 and trying to mitigate
>> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do
>> is to update. However, I am told this is not happening. Thus, I am trying
>> to determine if the following are set:
>>
>>
>> spark.acls.enable false
>>
>> spark.history.ui.acls.enable false
>>
>>
>> These are 100% set in the config. I checked the config for weird
>> whitespace issues in a hex editor. Nonetheless, the config does not show up
>> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I
>> can see this:
>>
>>
>>
>> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at
>> position
>>
>>
>>
>> I am not able to find this in VisualVM or MAT to determine what that is
>> set to. Any thoughts?
>>
>>
>>
>>
>>
>> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic
>> <https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>*
>>
>> Perforce Software
>> <http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>
>> P: +1 612.517.2100
>>
>> Visit us on: LinkedIn
>> <https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>> | Twitter
>> <https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>> | Facebook
>> <https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>> | YouTube
>> <https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>
>>
>>
>> *Use our new Community portal to submit/track support cases!
>> <https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>*
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
Re: CVE-2022-33891 mitigation
Posted by Sean Owen <sr...@gmail.com>.
CCing Kostya for a better view, but I believe that this will not be an
issue if you're not using the ACLs in Spark, yes.
On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio <AP...@perforce.com>
wrote:
> I am using Spark 2.3.0 and trying to mitigate
> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do
> is to update. However, I am told this is not happening. Thus, I am trying
> to determine if the following are set:
>
>
> spark.acls.enable false
>
> spark.history.ui.acls.enable false
>
>
> These are 100% set in the config. I checked the config for weird
> whitespace issues in a hex editor. Nonetheless, the config does not show up
> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I
> can see this:
>
>
>
> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at
> position
>
>
>
> I am not able to find this in VisualVM or MAT to determine what that is
> set to. Any thoughts?
>
>
>
>
>
> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic
> <https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>*
>
> Perforce Software
> <http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>
> P: +1 612.517.2100
>
> Visit us on: LinkedIn
> <https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
> | Twitter
> <https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
> | Facebook
> <https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
> | YouTube
> <https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>
>
>
> *Use our new Community portal to submit/track support cases!
> <https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>*
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>