You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spark.apache.org by Sean Owen <sr...@apache.org> on 2018/07/11 20:17:18 UTC
CVE-2018-8024 Apache Spark XSS vulnerability in UI
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected:
Spark versions through 2.1.2
Spark 2.2.0 through 2.2.1
Spark 2.3.0
Description:
In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's
possible for a malicious user to construct a URL pointing to a Spark
cluster's UI's job and stage info pages, and if a user can be tricked into
accessing the URL, can be used to cause script to execute and expose
information from the user's view of the Spark UI. While some browsers like
recent versions of Chrome and Safari are able to block this type of attack,
current versions of Firefox (and possibly others) do not.
Mitigation:
1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer
2.2.x users should upgrade to 2.2.2 or newer
2.3.x users should upgrade to 2.3.1 or newer
Credit:
Spencer Gietzen, Rhino Security Labs
References:
https://spark.apache.org/security.html
Re: CVE-2018-8024 Apache Spark XSS vulnerability in UI
Posted by Sandeep Katta <sa...@gmail.com>.
I was going through this and CVE-2018-1334 vulnerabilities
As per mitigation plan advised to upgrade to 2.2.2 and 2.3.1, but from the
release notes I don’t find any reference against these vulnerabilities.Can
some one please provide me the jira ID against which these issues are fixed.
Regards
Sandeep Katta
On Thu, 12 Jul 2018 at 1:47 AM, Sean Owen <sr...@apache.org> wrote:
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Spark versions through 2.1.2
> Spark 2.2.0 through 2.2.1
> Spark 2.3.0
>
> Description:
> In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's
> possible for a malicious user to construct a URL pointing to a Spark
> cluster's UI's job and stage info pages, and if a user can be tricked into
> accessing the URL, can be used to cause script to execute and expose
> information from the user's view of the Spark UI. While some browsers like
> recent versions of Chrome and Safari are able to block this type of attack,
> current versions of Firefox (and possibly others) do not.
>
> Mitigation:
> 1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer
> 2.2.x users should upgrade to 2.2.2 or newer
> 2.3.x users should upgrade to 2.3.1 or newer
>
> Credit:
> Spencer Gietzen, Rhino Security Labs
>
> References:
> https://spark.apache.org/security.html
>