Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-20922

Unsafe deserialization in Spark LauncherConnection

    Details

      Description

      The run() method of the class org.apache.spark.launcher.LauncherConnection performs unsafe deserialization of data received by its socket. This makes Spark applications launched programmatically using the SparkLauncher framework potentially vulnerable to remote code execution by an attacker with access to any user account on the local machine. Such an attacker could send a malicious serialized Java object to multiple ports on the local machine, and if this port matches the one (randomly) chosen by the Spark launcher, the malicious object will be deserialized. By making use of gadget chains in code present on the Spark application classpath, the deserialization process can lead to RCE or privilege escalation.

      This vulnerability is identified by the “Unsafe deserialization” rule on lgtm.com:
      https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java#V58

      Attached is a proof-of-concept exploit involving a simple SparkLauncher-based application and a known gadget chain in the Apache Commons Beanutils library referenced by Spark.
      See the readme file for demonstration instructions.

        Attachments

          Activity

            People

            • Assignee:
              vanzin Marcelo Vanzin
              Reporter:
              adityasharad Aditya Sharad
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: