{eval=Array;=+count(Array);}

问答专栏Q & A COLUMN

spark高危漏洞怎么处理?CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI

12759945221275994522 回答1 收藏3
问题描述:

CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

  • 3.0.3 and earlier
  • 3.1.1 to 3.1.2
  • 3.2.0 to 3.2.1

Description:

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as.

Mitigation

  • Update to Spark 3.1.3, 3.2.2, or 3.3.0 or later

Credit:

  • Kostya Torchinsky (Databricks)

官方链接:https://spark.apache.org/security.html


收藏问题
温馨提示
该问题目前已经被作者或者管理员关闭, 无法添加新回复

1条回答

3443073884

3443073884

回答于2022-08-10 13:02

升级就好了呀


评论0 赞同0
  •  加载中...

最新活动

您已邀请0人回答 查看邀请

我的邀请列表

  • 擅长该话题
  • 回答过该话题
  • 我关注的人
向帮助了您的网友说句感谢的话吧!
付费偷看金额在0.1-10元之间
<