You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Imran Rashid (JIRA)" <ji...@apache.org> on 2019/01/31 17:36:00 UTC

[jira] [Resolved] (SPARK-26802) CVE-2018-11760: Apache Spark local privilege escalation vulnerability

     [ https://issues.apache.org/jira/browse/SPARK-26802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Imran Rashid resolved SPARK-26802.
----------------------------------
    Resolution: Fixed

> CVE-2018-11760: Apache Spark local privilege escalation vulnerability
> ---------------------------------------------------------------------
>
>                 Key: SPARK-26802
>                 URL: https://issues.apache.org/jira/browse/SPARK-26802
>             Project: Spark
>          Issue Type: Bug
>          Components: PySpark, Security
>    Affects Versions: 1.6.3, 2.0.2, 2.1.3, 2.2.2
>            Reporter: Imran Rashid
>            Assignee: Luca Canali
>            Priority: Blocker
>             Fix For: 2.4.0, 2.3.2, 2.2.3
>
>
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions affected:
> All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions
> Spark 2.2.0 to 2.2.2
> Spark 2.3.0 to 2.3.1
> Description:
> When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.  This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
> Mitigation:
> 1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer
> 2.3.x users should upgrade to 2.3.2 or newer
> Otherwise, affected users should avoid using PySpark in multi-user environments.
> Credit:
> This issue was reported by Luca Canali and Jose Carlos Luna Duran from CERN.
> References:
> https://spark.apache.org/security.html
> This was fixed by
> https://github.com/apache/spark/commit/15fc2372269159ea2556b028d4eb8860c4108650
> https://github.com/apache/spark/commit/8080c937d3752aee2fd36f0045a057f7130f6fe4
> https://github.com/apache/spark/commit/a5624c7ae29d6d49117dd78642879bf978212d30



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org