CVE-2018-17190
published 2018-11-19CVE-2018-17190: In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The…
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.72%
94.5th percentile
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | spark | — | — |
| apache_software_foundation | apache_spark | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target is the Apache Spark standalone resource manager 'master' host — a specially-crafted request to the master can cause it to execute user code unexpectedly ↗
- →Vulnerability only applies to standalone clusters without authentication; monitor for unauthenticated code-submission requests to the Spark master endpoint ↗
- ·Enable spark.authenticate and related security properties to mitigate; unauthenticated standalone clusters are the affected configuration ↗
- ·All versions of Apache Spark are affected — there is no safe version to downgrade to; the fix is configuration-based (authentication) ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_apache9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote Code Execution in spark-core
osv·2018-11-21
CVE-2018-17190 [CRITICAL] Remote Code Execution in spark-core
Remote Code Execution in spark-core
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
# Mitigation
Enable authentication on any Spark standalone cluster that is not otherwise secured from unwanted access, for example by network-level restrictions. Use spark.authenticate and related security properties descr
GHSA
Remote Code Execution in spark-core
ghsa·2018-11-21
CVE-2018-17190 [CRITICAL] Remote Code Execution in spark-core
Remote Code Execution in spark-core
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
# Mitigation
Enable authentication on any Spark standalone cluster that is not otherwise secured from unwanted access, for example by network-level restrictions. Use spark.authenticate and related security properties descr
Apache
Apache spark: CVE-2018-17190
vendor_apache·CVSS 9.8
CVE-2018-17190 [LOW] Apache spark: CVE-2018-17190
Apache spark: CVE-2018-17190
Severity: Low Vendor: The Apache Software Foundation Versions Affected: All versions of Apache Spark Description: Spark’s standalone resource manager accepts code to execute on a ‘master’ host, that then runs that code on ‘worker’ hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. Mitigation: Enable authentication on any Spark standalone cluster that is not otherwise secured from unwanted access, for example by network-level
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/105976https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3Ehttps://security.gentoo.org/glsa/201903-21https://www.oracle.com/security-alerts/cpujul2020.htmlhttp://www.securityfocus.com/bid/105976https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3Ehttps://security.gentoo.org/glsa/201903-21https://www.oracle.com/security-alerts/cpujul2020.html
2018-11-19
Published