CVE-2023-32007
published 2023-05-02CVE-2023-32007: ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
75.79%
99.5th percentile
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | spark | <= 3.0.3 | — |
| apache | spark | — | — |
| apache | spark | 3.1.1 – 3.1.3 | — |
| apache | spark | 3.2.0 – 3.2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/jobs/?doAs=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Spark OS Command Injection (CVE-2023-32007)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jobs/?doAs|3d|"; fast_pattern; startswith; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:url,mp.weixin.qq.com/s/jCvb9e_lPWLS01cjw2wqjw; reference:cve,2023-32007; classtype:web-application-attack; sid:2056206; rev:1; metadata:affected_product Apache_Spark, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_26, cve CVE_2023_32007, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
pcre:/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R — shell metacharacters (;, newline, &, backtick, |, $) immediately following doAs= parameter value
- →Monitor HTTP GET requests to the Apache Spark UI path /jobs/?doAs= where the value supplied to the doAs parameter begins with or contains shell metacharacters (;, newline \x0a, &, backtick \x60, |, $), indicating OS command injection via user impersonation.
- →The attack vector is the HttpSecurityFilter code path in the Spark UI when spark.acls.enable is set to true; an attacker supplies an arbitrary username via the doAs parameter to reach a permission check function that builds and executes a Unix shell command. ↗
- →Execution context is the OS user account running the Spark process; alert on unexpected child processes (e.g. /bin/sh) spawned from the Spark UI service process. ↗
- →Snort/Suricata SID 2056206 (ET rule) can be used to detect exploitation attempts; ensure TLS inspection (SSLDecrypt) is enabled for encrypted Spark UI traffic as the rule metadata flags tls_state TLSDecrypt.
- ·The vulnerability is only exploitable when the Spark ACL feature is explicitly enabled via the configuration option spark.acls.enable=true; deployments with ACLs disabled are not affected. ↗
- ·CVE-2023-32007 is not a new vulnerability — it is a clarification that Apache Spark 3.1.3 (now EOL) is also affected by CVE-2022-33891, which was previously and incorrectly marked as fixed in that version. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vendor_apache8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apache
Apache spark: CVE-2022-33891
vendor_apache·CVSS 8.8
CVE-2022-33891 [HIGH] Apache spark: CVE-2022-33891
Apache spark: CVE-2022-33891
Severity: Important Vendor: The Apache Software Foundation Versions Affected: 3.1.3 and earlier (previously, this was marked as fixed in 3.1.3; this change is tracked as CVE-2023-32007 ) 3.2.0 to 3.2.1 Description: The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell comm
Apache
Apache spark: CVE-2023-32007
vendor_apache·CVSS 8.8
CVE-2023-32007 [HIGH] Apache spark: CVE-2023-32007
Apache spark: CVE-2023-32007
This CVE is only an update to CVE-2022-33891 to clarify that version 3.1.3 is also affected. It is otherwise not a new vulnerability. Note that Apache Spark 3.1.x is EOL now.
Affected versions: 3.1.3
OSV
CVE-2023-32007: ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark
osv·2023-05-02·CVSS 8.8
CVE-2023-32007 [HIGH] CVE-2023-32007: ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.
NOTE: This vul
OSV
Apache Spark UI vulnerable to Command Injection
osv·2023-05-02·CVSS 8.8
CVE-2023-32007 [HIGH] Apache Spark UI vulnerable to Command Injection
Apache Spark UI vulnerable to Command Injection
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected
GHSA
Apache Spark UI vulnerable to Command Injection
ghsa·2023-05-02·CVSS 8.8
CVE-2023-32007 [HIGH] CWE-77 Apache Spark UI vulnerable to Command Injection
Apache Spark UI vulnerable to Command Injection
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected
Suricata
ET WEB_SPECIFIC_APPS Apache Spark OS Command Injection (CVE-2023-32007)
suricata·2024-09-26·CVSS 8.8
CVE-2023-32007 [HIGH] ET WEB_SPECIFIC_APPS Apache Spark OS Command Injection (CVE-2023-32007)
ET WEB_SPECIFIC_APPS Apache Spark OS Command Injection (CVE-2023-32007)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Spark OS Command Injection (CVE-2023-32007)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jobs/?doAs|3d|"; fast_pattern; startswith; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:url,mp.weixin.qq.com/s/jCvb9e_lPWLS01cjw2wqjw; reference:cve,2023-32007; classtype:web-application-attack; sid:2056206; rev:1; metadata:affected_product Apache_Spark, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_26, cve CVE_2023_32007, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_t
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/05/02/1https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nvhttps://spark.apache.org/security.htmlhttps://www.cve.org/CVERecord?id=CVE-2022-33891http://www.openwall.com/lists/oss-security/2023/05/02/1https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nvhttps://spark.apache.org/security.htmlhttps://www.cve.org/CVERecord?id=CVE-2022-33891
2023-05-02
Published