Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-26802

CVE-2018-11760: Apache Spark local privilege escalation vulnerability

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.6.3, 2.0.2, 2.1.3, 2.2.2
    • Fix Version/s: 2.2.3, 2.3.2, 2.4.0
    • Component/s: PySpark, Security
    • Labels:
      None

      Description

      Severity: Important

      Vendor: The Apache Software Foundation

      Versions affected:
      All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions
      Spark 2.2.0 to 2.2.2
      Spark 2.3.0 to 2.3.1

      Description:
      When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.

      Mitigation:
      1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer
      2.3.x users should upgrade to 2.3.2 or newer
      Otherwise, affected users should avoid using PySpark in multi-user environments.

      Credit:
      This issue was reported by Luca Canali and Jose Carlos Luna Duran from CERN.

      References:
      https://spark.apache.org/security.html

      This was fixed by
      master / 2.4:
      https://github.com/apache/spark/commit/15fc2372269159ea2556b028d4eb8860c4108650
      https://github.com/apache/spark/commit/0df6bf882907d7d76572f513168a144067d0e0ec

      branch-2.3
      https://github.com/apache/spark/commit/8080c937d3752aee2fd36f0045a057f7130f6fe

      branch-2.2
      https://github.com/apache/spark/commit/a5624c7ae29d6d49117dd78642879bf978212d30

      branch-2.1 (note that this does not exist in any release)
      https://github.com/apache/spark/commit/b2e0f68f615cbe2cf74f9813ece76c311fe8e911

        Attachments

          Activity

            People

            • Assignee:
              lucacanali Luca Canali
              Reporter:
              irashid Imran Rashid
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: