Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-11682

Commons-collections object deserialization may expose remote command execution vulnerability

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

      TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.

      In ./launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java :

            ObjectInputStream in = new ObjectInputStream(socket.getInputStream());
      while (!closed) {
        Message msg = (Message) in.readObject();

      There may be other occurrence(s).

        Attachments

          Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. SPARK-11652 Remote code execution with InvokerTransformer

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                yuzhihong@gmail.com Ted Yu
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: