CVE-2023-22946
published 2023-04-17CVE-2023-22946: In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute…
PriorityP261critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.11%
61.8th percentile
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | spark | < 3.4.0 | 3.4.0 |
| apache | spark | — | — |
| apache_software_foundation | apache_spark | < 3.4.0 | 3.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect spark-submit invocations that attempt to override spark.submit.proxyUser.allowCustomClasspathInClusterMode to a non-default (non-false) value, which is the key exploitation vector for this CVE. ↗
- →Monitor for proxy-user privilege escalation attempts via spark-submit where malicious configuration-related classes are supplied on the classpath in cluster mode. ↗
- →Environments using Apache Livy to manage submitted Spark applications are specifically at risk; audit Livy-submitted jobs for classpath manipulation attempts. ↗
- ·The configuration property spark.submit.proxyUser.allowCustomClasspathInClusterMode must remain at its default value of 'false' and must not be overridable by submitted applications; any deviation enables privilege escalation. ↗
- ·All Apache Spark versions prior to 3.4.0 are affected; upgrading to 3.4.0 or later is required to remediate the vulnerability. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_oracle9.9MEDIUM
vendor_apache6.4
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Spark vulnerable to Improper Privilege Management
osv·2023-04-17
CVE-2023-22946 [CRITICAL] Apache Spark vulnerable to Improper Privilege Management
Apache Spark vulnerable to Improper Privilege Management
In Apache Spark versions prior to versions 3.4.0 and 3.3.3, applications using spark-submit can specify a `proxy-user` to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0, 3.3.3, or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
GHSA
Apache Spark vulnerable to Improper Privilege Management
ghsa·2023-04-17
CVE-2023-22946 [CRITICAL] CWE-269 Apache Spark vulnerable to Improper Privilege Management
Apache Spark vulnerable to Improper Privilege Management
In Apache Spark versions prior to versions 3.4.0 and 3.3.3, applications using spark-submit can specify a `proxy-user` to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0, 3.3.3, or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
OSV
CVE-2023-22946: In Apache Spark versions prior to 3
osv·2023-04-17
CVE-2023-22946 CVE-2023-22946: In Apache Spark versions prior to 3
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Installer (Apache Spark) — CVE-2023-22946
vendor_oracle·2023-10-15·CVSS 9.9
CVE-2023-22946 [MEDIUM] Oracle Oracle Financial Services Applications Risk Matrix: Installer (Apache Spark) — CVE-2023-22946
Oracle Oracle Financial Services Applications Risk Matrix: Installer (Apache Spark) vulnerability
CVE: CVE-2023-22946
CVSS: 9.9
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Apache
Apache spark: CVE-2023-22946
vendor_apache·CVSS 6.4
CVE-2023-22946 Apache spark: CVE-2023-22946
Apache spark: CVE-2023-22946
Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Versions prior to 3.4.0 Description: In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a ‘proxy-user’ to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. This issue is being tracked as SPARK-41958 Mitigation: Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of “false”, and is not overridden by submitted applications.
No detection rules found.
No public exploits indexed.
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware fo
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed,
2023-04-17
Published