cbcvebase.
CVE-2018-17190
published 2018-11-19

CVE-2018-17190: In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.72%
94.5th percentile
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachespark
apache_software_foundationapache_spark

Detection & IOCsextracted from sources · hover to see the quote

  • Target is the Apache Spark standalone resource manager 'master' host — a specially-crafted request to the master can cause it to execute user code unexpectedly
  • Vulnerability only applies to standalone clusters without authentication; monitor for unauthenticated code-submission requests to the Spark master endpoint
  • ·Enable spark.authenticate and related security properties to mitigate; unauthenticated standalone clusters are the affected configuration
  • ·All versions of Apache Spark are affected — there is no safe version to downgrade to; the fix is configuration-based (authentication)

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_apache9.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.