Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
None
-
None
-
None
-
None
Description
TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.
In ./launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java :
ObjectInputStream in = new ObjectInputStream(socket.getInputStream()); while (!closed) { Message msg = (Message) in.readObject();
There may be other occurrence(s).
Attachments
Issue Links
- duplicates
-
SPARK-11652 Remote code execution with InvokerTransformer
- Resolved