cbcvebase.
CVE-2022-33891
published 2022-07-18

CVE-2022-33891: The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a…

PriorityP194high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-28
Exploited in the wild
EPSS
92.98%
99.8th percentile
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Affected

6 ranges
VendorProductVersion rangeFixed in
apachespark<= 3.0.3
apachespark
apachespark3.1.1 – 3.1.2
apachespark3.1.1 – 3.1.3
apachespark3.2.0 – 3.2.1
apache_software_foundationapache_spark>= 3.1.1 < 3.2.23.2.2

Detection & IOCsextracted from sources · hover to see the quote

otherdoAs=
  • Exploit targets the `?doAs=` query parameter in the Apache Spark UI HTTP endpoint. Monitor GET requests containing backtick-wrapped shell commands in the `doAs` parameter value.
  • Vulnerability is only triggerable when `spark.acls.enable` is set to `true` in the Spark configuration. Audit Spark configurations for this setting in exposed deployments.
  • Shodan queries `title:"Spark Master at"` and `http.title:"spark master at"` can identify exposed Apache Spark UI instances for proactive scanning.
  • FOFA queries `body="/apps/imt/html/"` and `title="spark master at"` can identify exposed Apache Spark UI instances.
  • The injection point is in `HttpSecurityFilter` code path. Look for process spawning (e.g., `/bin/sh` or `id`, `whoami`) as child processes of the Spark JVM process, indicating successful shell command execution.
  • ·The vulnerability is only exploitable when `spark.acls.enable` is explicitly set to `true`. This is a non-default setting, so default Spark deployments are NOT vulnerable.
  • ·CVE-2023-32007 is not a new vulnerability — it is solely a clarification that Spark version 3.1.3 is also affected by CVE-2022-33891, which was previously incorrectly marked as fixed in 3.1.3.
  • ·Red Hat Middleware products (Data Grid 7, Fuse 7, Camel K, Camel for Spring Boot) do not ship Apache Spark 3.x and are not affected, even if `spark.acls.enable` were set.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_apache8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.