Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-11652

Remote code execution with InvokerTransformer

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 1.4.2, 1.5.3, 1.6.0
    • Spark Core
    • None

    Description

      There is a remote code execution vulnerability in the Apache Commons collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) that can be exploited simply by causing malicious data to be deserialized using Java serialization.

      As Spark is used in security-conscious environments I think it's worth taking a closer look at how the vulnerability affects Spark. What are the points where Spark deserializes external data? Which are affected by using Kryo instead of Java serialization? What mitigation strategies are available?

      If the issue is serious enough but mitigation is possible, it may be useful to post about it on the mailing list or blog.

      Thanks!

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. SPARK-11682 Commons-collections object deserialization may expose remote command execution vulnerability

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. SPARK-19943 commons-collections has vulnerability: CVE-2015-6420

          • Major - Major loss of function.
          • Resolved
          links to

          Pull request #9731 [Github] Pull Request #9731 (srowen)

          Pull request #10198 [Github] Pull Request #10198 (srowen)

          Activity

            People

              srowen Sean R. Owen
              darabos Daniel Darabos
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: