-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Duplicate
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.
In ./launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java :
ObjectInputStream in = new ObjectInputStream(socket.getInputStream()); while (!closed) { Message msg = (Message) in.readObject();
There may be other occurrence(s).
- duplicates
-
SPARK-11652 Remote code execution with InvokerTransformer
-
- Resolved
-