You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by do...@apache.org on 2020/06/22 21:57:00 UTC
[spark-website] branch asf-site updated: CVE-2020-9480 details
(#275)
This is an automated email from the ASF dual-hosted git repository.
dongjoon pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 08327a2 CVE-2020-9480 details (#275)
08327a2 is described below
commit 08327a24e163dbd674ce83c29bd485f5e90c2ea5
Author: Sean Owen <sr...@gmail.com>
AuthorDate: Mon Jun 22 16:56:48 2020 -0500
CVE-2020-9480 details (#275)
---
security.md | 33 +++++++++++++++++++++++++++++++++
site/security.html | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+)
diff --git a/security.md b/security.md
index 7e062b8..90c7da9 100644
--- a/security.md
+++ b/security.md
@@ -18,6 +18,39 @@ non-public list that will reach the Apache Security team, as well as the Spark P
<h2>Known Security Issues</h2>
+<h3 id="CVE-2020-9480">CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master</h3>
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Apache Spark 2.4.5 and earlier
+
+Description:
+
+In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may
+be configured to require authentication (`spark.authenticate`) via a
+shared secret. When enabled, however, a specially-crafted RPC to the
+master can succeed in starting an application's resources on the Spark
+cluster, even without the shared key. This can be leveraged to execute
+shell commands on the host machine.
+
+This does not affect Spark clusters using other resource managers
+(YARN, Mesos, etc).
+
+
+Mitigation:
+
+- Users should update to Spark 2.4.6 or 3.0.0.
+- Where possible, network access to the cluster machines should be restricted to trusted hosts only.
+
+Credit:
+
+- Ayoub Elaassal
+
+
<h3 id="CVE-2019-10099">CVE-2019-10099: Apache Spark unencrypted data on local disk</h3>
Severity: Important
diff --git a/site/security.html b/site/security.html
index 82f3e0d..928542a 100644
--- a/site/security.html
+++ b/site/security.html
@@ -211,6 +211,43 @@ non-public list that will reach the Apache Security team, as well as the Spark P
<h2>Known Security Issues</h2>
+<h3 id="CVE-2020-9480">CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master</h3>
+
+<p>Severity: Important</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<ul>
+ <li>Apache Spark 2.4.5 and earlier</li>
+</ul>
+
+<p>Description:</p>
+
+<p>In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may
+be configured to require authentication (<code class="highlighter-rouge">spark.authenticate</code>) via a
+shared secret. When enabled, however, a specially-crafted RPC to the
+master can succeed in starting an application’s resources on the Spark
+cluster, even without the shared key. This can be leveraged to execute
+shell commands on the host machine.</p>
+
+<p>This does not affect Spark clusters using other resource managers
+(YARN, Mesos, etc).</p>
+
+<p>Mitigation:</p>
+
+<ul>
+ <li>Users should update to Spark 2.4.6 or 3.0.0.</li>
+ <li>Where possible, network access to the cluster machines should be restricted to trusted hosts only.</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+ <li>Ayoub Elaassal</li>
+</ul>
+
<h3 id="CVE-2019-10099">CVE-2019-10099: Apache Spark unencrypted data on local disk</h3>
<p>Severity: Important</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org