Apache Spark UI Command Injection Vulnerability (CVE-2022-33891)

OSCS (Open Source Software Supply Chain Security Community) has launched a free vulnerability and poisoning intelligence subscription service. Community users can subscribe to intelligence information through robots: https://www.oscs1024.com/?src=csdn

Vulnerability Overview

On July 18, OSCS detected that Apache issued a security bulletin that fixed a command injection vulnerability in the Apache Spark UI. Vulnerability number: CVE-2022-33891, Vulnerability threat level: 高危.

Apache Spark is a large-scale data processing engine that supports acyclic data flow and in-memory computing from the Apache Software Foundation.

If the Apache Spark UI has ACLs enabled, the code path in the HttpSecurityFilter allows to simulate execution by supplying an arbitrary username. Malicious users are able to access the permission checking function, construct a Unix shell command based on their input and execute it. An attacker can exploit this vulnerability to execute arbitrary shell commands.

In view of the serious harm of this vulnerability and the publicity of the POC, users are advised to check and fix it as soon as possible.

Vulnerability Rating: High Critical

Projects Affected: Apache Spark

**Affected versions:

org.apache.spark:spark-core_2.12@(∞, 3.1.3)

org.apache.spark:spark-core_2.12@[3.2.0, 3.2.2)

org.apache.spark:spark-core_2.13@[3.2.0, 3.2.2)**

Troubleshooting method: Obtain the spark version and determine whether its version is in the range of (∞, 3.1.3), \[3.2.0, 3.2.2), \[3.2.0, 3.2.2)

More vulnerability details can be viewed in the OSCS community:

https://www.oscs1024.com/hd/MPS-2022-19085

Disposal advice

Upgrade Apache Spark to 3.1.3, 3.2.2 or 3.3.0 or higher

Reference link

https://www.oscs1024.com/hd/MPS-2022-19085

 

https://www.openwall.com/lists/oss-security/2022/07/17/1

understand more

1. Free use of OSCS's intelligence subscription service

OSCS (Open Source Software Supply Chain Security Community) publishes the latest security risk trends of open source projects in the fastest and most complete way, including information on security vulnerabilities and events of open source components. You can subscribe to intelligence information in other ways. For details on how to subscribe, see:

https://www.oscs1024.com/docs/vuln-warning/intro/?src=wx

Supongo que te gusta

Origin www.oschina.net/news/203428
Recomendado
Clasificación