Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-26802

CVE-2018-11760: Apache Spark local privilege escalation vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.6.3, 2.0.2, 2.1.3, 2.2.2
    • 2.2.3, 2.3.2, 2.4.0
    • PySpark, Security
    • None

    Description

      Severity: Important

      Vendor: The Apache Software Foundation

      Versions affected:
      All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions
      Spark 2.2.0 to 2.2.2
      Spark 2.3.0 to 2.3.1

      Description:
      When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.

      Mitigation:
      1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer
      2.3.x users should upgrade to 2.3.2 or newer
      Otherwise, affected users should avoid using PySpark in multi-user environments.

      Credit:
      This issue was reported by Luca Canali and Jose Carlos Luna Duran from CERN.

      References:
      https://spark.apache.org/security.html

      This was fixed by
      master / 2.4:
      https://github.com/apache/spark/commit/15fc2372269159ea2556b028d4eb8860c4108650
      https://github.com/apache/spark/commit/0df6bf882907d7d76572f513168a144067d0e0ec

      branch-2.3
      https://github.com/apache/spark/commit/8080c937d3752aee2fd36f0045a057f7130f6fe

      branch-2.2
      https://github.com/apache/spark/commit/a5624c7ae29d6d49117dd78642879bf978212d30

      branch-2.1 (note that this does not exist in any release)
      https://github.com/apache/spark/commit/b2e0f68f615cbe2cf74f9813ece76c311fe8e911

      Attachments

        Activity

          People

            lucacanali Luca Canali
            irashid Imran Rashid
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: