You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Imran Rashid (JIRA)" <ji...@apache.org> on 2019/01/31 17:36:00 UTC
[jira] [Created] (SPARK-26802) CVE-2018-11760: Apache Spark local
privilege escalation vulnerability
Imran Rashid created SPARK-26802:
------------------------------------
Summary: CVE-2018-11760: Apache Spark local privilege escalation vulnerability
Key: SPARK-26802
URL: https://issues.apache.org/jira/browse/SPARK-26802
Project: Spark
Issue Type: Bug
Components: Security, PySpark
Affects Versions: 2.2.2, 2.1.3, 2.0.2, 1.6.3
Reporter: Imran Rashid
Assignee: Luca Canali
Fix For: 2.4.0, 2.3.2, 2.2.3
Severity: Important
Vendor: The Apache Software Foundation
Versions affected:
All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions
Spark 2.2.0 to 2.2.2
Spark 2.3.0 to 2.3.1
Description:
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
Mitigation:
1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer
2.3.x users should upgrade to 2.3.2 or newer
Otherwise, affected users should avoid using PySpark in multi-user environments.
Credit:
This issue was reported by Luca Canali and Jose Carlos Luna Duran from CERN.
References:
https://spark.apache.org/security.html
This was fixed by
https://github.com/apache/spark/commit/15fc2372269159ea2556b028d4eb8860c4108650
https://github.com/apache/spark/commit/8080c937d3752aee2fd36f0045a057f7130f6fe4
https://github.com/apache/spark/commit/a5624c7ae29d6d49117dd78642879bf978212d30
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org