You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@spark.apache.org by Andrew Pomponio <AP...@perforce.com> on 2022/11/21 20:37:36 UTC

CVE-2022-33891 mitigation

I am using Spark 2.3.0 and trying to mitigate https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do is to update. However, I am told this is not happening. Thus, I am trying to determine if the following are set:

spark.acls.enable false
spark.history.ui.acls.enable false

These are 100% set in the config. I checked the config for weird whitespace issues in a hex editor. Nonetheless, the config does not show up in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I can see this:

V is abstract���spark.acls.enable1�0invalid end of optional part at position

I am not able to find this in VisualVM or MAT to determine what that is set to. Any thoughts?


Andrew Pomponio | Associate Enterprise Architect, OpenLogic<https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>
Perforce Software<http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
P: +1 612.517.2100 <tel:>
Visit us on: LinkedIn<https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> | Twitter<https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> | Facebook<https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link> | YouTube<https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>

Use our new Community portal to submit/track support cases!<https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>



This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.

Re: CVE-2022-33891 mitigation

Posted by Kostya Kortchinsky <ko...@databricks.com.INVALID>.

Correct: as per the code below from SecurityManager.scala, if acls aren't
enabled, we skip the vulnerable code path (getCurrentUserGroups)

  private def isUserInACL(
      user: String,
      aclUsers: Set[String],
      aclGroups: Set[String]): Boolean = {
    if (user == null ||
        !aclsEnabled ||
        aclUsers.contains(WILDCARD_ACL) ||
        aclUsers.contains(user) ||
        aclGroups.contains(WILDCARD_ACL)) {
      true
    } else {
      val userGroups = Utils.getCurrentUserGroups(sparkConf, user)
      logDebug(s"user $user is in groups ${userGroups.mkString(",")}")
      aclGroups.exists(userGroups.contains(_))
    }
  }

On Mon, Nov 21, 2022 at 1:17 PM Sean Owen <sr...@gmail.com> wrote:

> CCing Kostya for a better view, but I believe that this will not be an
> issue if you're not using the ACLs in Spark, yes.
>
> On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio <AP...@perforce.com>
> wrote:
>
>> I am using Spark 2.3.0 and trying to mitigate
>> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do
>> is to update. However, I am told this is not happening. Thus, I am trying
>> to determine if the following are set:
>>
>>
>> spark.acls.enable false
>>
>> spark.history.ui.acls.enable false
>>
>>
>> These are 100% set in the config. I checked the config for weird
>> whitespace issues in a hex editor. Nonetheless, the config does not show up
>> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I
>> can see this:
>>
>>
>>
>> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at
>> position
>>
>>
>>
>> I am not able to find this in VisualVM or MAT to determine what that is
>> set to. Any thoughts?
>>
>>
>>
>>
>>
>> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic
>> <https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>*
>>
>> Perforce Software
>> <http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>
>> P: +1 612.517.2100
>>
>> Visit us on: LinkedIn
>> <https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>  | Twitter
>> <https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>  | Facebook
>> <https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>  | YouTube
>> <https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>>
>>
>>
>> *Use our new Community portal to submit/track support cases!
>> <https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>*
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>

Re: CVE-2022-33891 mitigation

Posted by Sean Owen <sr...@gmail.com>.

CCing Kostya for a better view, but I believe that this will not be an
issue if you're not using the ACLs in Spark, yes.

On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio <AP...@perforce.com>
wrote:

> I am using Spark 2.3.0 and trying to mitigate
> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do
> is to update. However, I am told this is not happening. Thus, I am trying
> to determine if the following are set:
>
>
> spark.acls.enable false
>
> spark.history.ui.acls.enable false
>
>
> These are 100% set in the config. I checked the config for weird
> whitespace issues in a hex editor. Nonetheless, the config does not show up
> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I
> can see this:
>
>
>
> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at
> position
>
>
>
> I am not able to find this in VisualVM or MAT to determine what that is
> set to. Any thoughts?
>
>
>
>
>
> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic
> <https://www.openlogic.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link>*
>
> Perforce Software
> <http://www.perforce.com/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>
> P: +1 612.517.2100
>
> Visit us on: LinkedIn
> <https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>  | Twitter
> <https://twitter.com/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>  | Facebook
> <https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>  | YouTube
> <https://www.youtube.com/user/perforcesoftware?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>
>
>
>
> *Use our new Community portal to submit/track support cases!
> <https://www.perforce.com/support/community-portal-faq?utm_source=sales-signature&utm_medium=email&utm_campaign=community-portal-faq&utm_content=resource?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2021-common&utm_content=email-signature-link>*
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>