CVE-2022-33891
published 2022-07-18CVE-2022-33891: The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a…
PriorityP194high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-28
Exploited in the wild
EPSS
92.98%
99.8th percentile
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | spark | <= 3.0.3 | — |
| apache | spark | — | — |
| apache | spark | 3.1.1 – 3.1.2 | — |
| apache | spark | 3.1.1 – 3.1.3 | — |
| apache | spark | 3.2.0 – 3.2.1 | — |
| apache_software_foundation | apache_spark | >= 3.1.1 < 3.2.2 | 3.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets the `?doAs=` query parameter in the Apache Spark UI HTTP endpoint. Monitor GET requests containing backtick-wrapped shell commands in the `doAs` parameter value. ↗
- →Vulnerability is only triggerable when `spark.acls.enable` is set to `true` in the Spark configuration. Audit Spark configurations for this setting in exposed deployments. ↗
- →Shodan queries `title:"Spark Master at"` and `http.title:"spark master at"` can identify exposed Apache Spark UI instances for proactive scanning. ↗
- →FOFA queries `body="/apps/imt/html/"` and `title="spark master at"` can identify exposed Apache Spark UI instances. ↗
- →The injection point is in `HttpSecurityFilter` code path. Look for process spawning (e.g., `/bin/sh` or `id`, `whoami`) as child processes of the Spark JVM process, indicating successful shell command execution. ↗
- ·The vulnerability is only exploitable when `spark.acls.enable` is explicitly set to `true`. This is a non-default setting, so default Spark deployments are NOT vulnerable. ↗
- ·CVE-2023-32007 is not a new vulnerability — it is solely a clarification that Spark version 3.1.3 is also affected by CVE-2022-33891, which was previously incorrectly marked as fixed in 3.1.3. ↗
- ·Red Hat Middleware products (Data Grid 7, Fuse 7, Camel K, Camel for Spring Boot) do not ship Apache Spark 3.x and are not affected, even if `spark.acls.enable` were set. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_apache8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apache Spark Command Injection Vulnerability
cisa·2023-03-07·CVSS 8.8
CVE-2022-33891 [HIGH] CWE-78 Apache Spark Command Injection Vulnerability
Vulnerability: Apache Spark Command Injection Vulnerability
Affected: Apache Spark
Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
Required Action: Apply updates per vendor instructions.
Notes: https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc; https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Remediation Due Date: 2023-03-28
Red Hat
apache-spark: Apache Spark shell command injection vulnerability via Spark UI
vendor_redhat·2022-07-18·CVSS 8.8
CVE-2022-33891 [HIGH] CWE-77 apache-spark: Apache Spark shell command injection vulnerability via Spark UI
apache-spark: Apache Spark shell command injection vulnerability via Spark UI
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Apache
Apache spark: CVE-2022-33891
vendor_apache·CVSS 8.8
CVE-2022-33891 [HIGH] Apache spark: CVE-2022-33891
Apache spark: CVE-2022-33891
Severity: Important Vendor: The Apache Software Foundation Versions Affected: 3.1.3 and earlier (previously, this was marked as fixed in 3.1.3; this change is tracked as CVE-2023-32007 ) 3.2.0 to 3.2.1 Description: The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell comm
Apache
Apache spark: CVE-2023-32007
vendor_apache·CVSS 8.8
CVE-2023-32007 [HIGH] Apache spark: CVE-2023-32007
Apache spark: CVE-2023-32007
This CVE is only an update to CVE-2022-33891 to clarify that version 3.1.3 is also affected. It is otherwise not a new vulnerability. Note that Apache Spark 3.1.x is EOL now.
Affected versions: 3.1.3
OSV
CVE-2023-32007: ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark
osv·2023-05-02·CVSS 8.8
CVE-2023-32007 [HIGH] CVE-2023-32007: ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.
NOTE: This vul
OSV
Apache Spark UI vulnerable to Command Injection
osv·2023-05-02·CVSS 8.8
CVE-2023-32007 [HIGH] Apache Spark UI vulnerable to Command Injection
Apache Spark UI vulnerable to Command Injection
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected
GHSA
Apache Spark UI vulnerable to Command Injection
ghsa·2023-05-02·CVSS 8.8
CVE-2023-32007 [HIGH] CWE-77 Apache Spark UI vulnerable to Command Injection
Apache Spark UI vulnerable to Command Injection
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected
GHSA
Apache Spark UI can allow impersonation if ACLs enabled
ghsa·2022-07-19
CVE-2022-33891 [HIGH] CWE-78 Apache Spark UI can allow impersonation if ACLs enabled
Apache Spark UI can allow impersonation if ACLs enabled
The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
A previous version
OSV
Apache Spark UI can allow impersonation if ACLs enabled
osv·2022-07-19
CVE-2022-33891 [HIGH] Apache Spark UI can allow impersonation if ACLs enabled
Apache Spark UI can allow impersonation if ACLs enabled
The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
A previous version
OSV
CVE-2022-33891: The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark
osv·2022-07-18
CVE-2022-33891 CVE-2022-33891: The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
VulnCheck
Apache Spark Command Injection Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-33891 [HIGH] CWE-78 Apache Spark Command Injection Vulnerability
Apache Spark Command Injection Vulnerability
Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
Affected: Apache Spark
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/; https://fortiguard.fortinet.com/threat-signal-report/4926/new-zerobot-variant-exploits-additional-vulnerabilities-for-propagation; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-33891; https://dashboard.shadowserver.org/statistics/honeypot
No detection rules found.
Metasploit
Apache Spark Unauthenticated Command Injection RCE
metasploit
Apache Spark Unauthenticated Command Injection RCE
Apache Spark Unauthenticated Command Injection RCE
This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.
Nuclei
Apache Spark UI - Remote Command Injection
nuclei·CVSS 8.8
CVE-2022-33891 [HIGH] Apache Spark UI - Remote Command Injection
Apache Spark UI - Remote Command Injection
Apache Spark UI is susceptible to remote command injection. ACLs can be enabled via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow impersonation by providing an arbitrary user name. An attacker can potentially reach a permission check function that will ultimately build a Unix shell command based on input and execute it, resulting in arbitrary shell command execution. Affected versions are 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1.
Template:
id: CVE-2022-33891
info:
name: Apache Spark UI - Remote Command Injection
author: princechaddha
severity: high
descri
Qualys
Identify Server-Side Attacks Using Qualys Periscope | Qualys
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope | Qualys
#### Table of Contents
- Potential False Positives
- Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope. This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
- QID 150055 – OS Command Injection
- QID 150179 – Blind XXE injection
Qualys
Identify Server-Side Attacks Using Qualys Periscope
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope
## Table of Contents
Potential False Positives
Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope . This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
QID 150055 – OS Command Injection
QID 150179 – Blind XXE injection
QID 15
http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.htmlhttp://www.openwall.com/lists/oss-security/2023/05/02/1https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlchttp://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.htmlhttp://www.openwall.com/lists/oss-security/2023/05/02/1https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlchttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891
2022-07-18
Published
2023-03-07
Added to CISA KEV
Exploited in the wild