Details
Description
Severity: Important
Vendor: The Apache Software Foundation
Versions affected:
All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions
Spark 2.2.0 to 2.2.2
Spark 2.3.0 to 2.3.1
Description:
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
Mitigation:
1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer
2.3.x users should upgrade to 2.3.2 or newer
Otherwise, affected users should avoid using PySpark in multi-user environments.
Credit:
This issue was reported by Luca Canali and Jose Carlos Luna Duran from CERN.
References:
https://spark.apache.org/security.html
This was fixed by
master / 2.4:
https://github.com/apache/spark/commit/15fc2372269159ea2556b028d4eb8860c4108650
https://github.com/apache/spark/commit/0df6bf882907d7d76572f513168a144067d0e0ec
branch-2.3
https://github.com/apache/spark/commit/8080c937d3752aee2fd36f0045a057f7130f6fe
branch-2.2
https://github.com/apache/spark/commit/a5624c7ae29d6d49117dd78642879bf978212d30
branch-2.1 (note that this does not exist in any release)
https://github.com/apache/spark/commit/b2e0f68f615cbe2cf74f9813ece76c311fe8e911