Repository: spark-website Updated Branches: refs/heads/asf-site 434db70b4 -> a1f847efc
Added CVE-2017-12612 Project: http://git-wip-us.apache.org/repos/asf/spark-website/repo Commit: http://git-wip-us.apache.org/repos/asf/spark-website/commit/6d90ff44 Tree: http://git-wip-us.apache.org/repos/asf/spark-website/tree/6d90ff44 Diff: http://git-wip-us.apache.org/repos/asf/spark-website/diff/6d90ff44 Branch: refs/heads/asf-site Commit: 6d90ff44d674c716e93f811cc9308144cb67f083 Parents: 434db70 Author: Sean Owen <[email protected]> Authored: Fri Sep 8 08:12:58 2017 +0100 Committer: Sean Owen <[email protected]> Committed: Fri Sep 8 08:12:58 2017 +0100 ---------------------------------------------------------------------- security.md | 25 +++++++++++++++++++++++++ site/security.html | 27 +++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/spark-website/blob/6d90ff44/security.md ---------------------------------------------------------------------- diff --git a/security.md b/security.md index a26f1d1..c5e6dbd 100644 --- a/security.md +++ b/security.md @@ -17,6 +17,31 @@ non-public list that will reach the Spark PMC. Messages to `[email protected]` <h2>Known Security Issues</h2> +<h3 id="CVE-2017-12612">CVE-2017-12612 Unsafe deserialization in Apache Spark launcher API</h3> + +Severity: Medium + +Vendor: The Apache Software Foundation + +Versions Affected: +Versions of Apache Spark from 1.6.0 until 2.1.1 + +Description: +In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe +deserialization of data received by its socket. This makes applications +launched programmatically using the launcher API potentially +vulnerable to arbitrary code execution by an attacker with access to any user +account on the local machine. It does not affect apps run by spark-submit or +spark-shell. The attacker would be able to execute code as the user that ran +the Spark application. Users are encouraged to update to version 2.2.0 or +later. + +Mitigation: +Update to Apache Spark 2.2.0 or later. + +Credit: +- Aditya Sharad, Semmle + <h3 id="CVE-2017-7678">CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability</h3> Severity: Low http://git-wip-us.apache.org/repos/asf/spark-website/blob/6d90ff44/site/security.html ---------------------------------------------------------------------- diff --git a/site/security.html b/site/security.html index 31496f8..4b71319 100644 --- a/site/security.html +++ b/site/security.html @@ -204,6 +204,33 @@ non-public list that will reach the Spark PMC. Messages to <code>security@apache <h2>Known Security Issues</h2> +<h3 id="CVE-2017-12612">CVE-2017-12612 Unsafe deserialization in Apache Spark launcher API</h3> + +<p>Severity: Medium</p> + +<p>Vendor: The Apache Software Foundation</p> + +<p>Versions Affected: +Versions of Apache Spark from 1.6.0 until 2.1.1</p> + +<p>Description: +In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe +deserialization of data received by its socket. This makes applications +launched programmatically using the launcher API potentially +vulnerable to arbitrary code execution by an attacker with access to any user +account on the local machine. It does not affect apps run by spark-submit or +spark-shell. The attacker would be able to execute code as the user that ran +the Spark application. Users are encouraged to update to version 2.2.0 or +later.</p> + +<p>Mitigation: +Update to Apache Spark 2.2.0 or later.</p> + +<p>Credit:</p> +<ul> + <li>Aditya Sharad, Semmle</li> +</ul> + <h3 id="CVE-2017-7678">CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability</h3> <p>Severity: Low</p> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
