Repository: spark-website
Updated Branches:
  refs/heads/asf-site a6788714a -> 85c47b705


Add ref to CVE-2018-1334, CVE-2018-8024


Project: http://git-wip-us.apache.org/repos/asf/spark-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/spark-website/commit/85c47b70
Tree: http://git-wip-us.apache.org/repos/asf/spark-website/tree/85c47b70
Diff: http://git-wip-us.apache.org/repos/asf/spark-website/diff/85c47b70

Branch: refs/heads/asf-site
Commit: 85c47b70516aad3b04c46438b598d379121a4778
Parents: a678871
Author: Sean Owen <sro...@gmail.com>
Authored: Wed Jul 11 15:14:26 2018 -0500
Committer: Sean Owen <sro...@gmail.com>
Committed: Wed Jul 11 15:14:26 2018 -0500

----------------------------------------------------------------------
 security.md        | 55 +++++++++++++++++++++++++++++++++++++++-
 site/security.html | 67 ++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 120 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/spark-website/blob/85c47b70/security.md
----------------------------------------------------------------------
diff --git a/security.md b/security.md
index bd2e66f..f99b9bd 100644
--- a/security.md
+++ b/security.md
@@ -17,6 +17,59 @@ non-public list that will reach the Apache Security team, as 
well as the Spark P
 
 <h2>Known Security Issues</h2>
 
+<h3 id="CVE-2018-8024">CVE-2018-8024: Apache Spark XSS vulnerability in UI</h3>
+
+Versions Affected:
+
+- Spark versions through 2.1.2
+- Spark 2.2.0 through 2.2.1
+- Spark 2.3.0
+
+Description:
+In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's 
possible for a malicious 
+user to construct a URL pointing to a Spark cluster's UI's job and stage info 
pages, and if a user can 
+be tricked into accessing the URL, can be used to cause script to execute and 
expose information from 
+the user's view of the Spark UI. While some browsers like recent versions of 
Chrome and Safari are 
+able to block this type of attack, current versions of Firefox (and possibly 
others) do not.
+
+Mitigation:
+
+- 1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer
+- 2.2.x users should upgrade to 2.2.2 or newer
+- 2.3.x users should upgrade to 2.3.1 or newer
+
+Credit:
+
+- Spencer Gietzen, Rhino Security Labs
+
+<h3 id="CVE-2018-1334">CVE-2018-1334: Apache Spark local privilege escalation 
vulnerability</h3>
+
+Severity: High
+
+Vendor: The Apache Software Foundation
+
+Versions affected:
+
+- Spark versions through 2.1.2
+- Spark 2.2.0 to 2.2.1
+- Spark 2.3.0
+
+Description:
+In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when 
using PySpark or SparkR, 
+it's possible for a different local user to connect to the Spark application 
and impersonate the 
+user running the Spark application.
+
+Mitigation:
+
+- 1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer
+- 2.2.x users should upgrade to 2.2.2 or newer
+- 2.3.x users should upgrade to 2.3.1 or newer
+- Otherwise, affected users should avoid using PySpark and SparkR in 
multi-user environments.
+
+Credit:
+
+- Nehmé Tohmé, Cloudera, Inc.
+
 <h3 id="CVE-2017-12612">CVE-2017-12612 Unsafe deserialization in Apache Spark 
launcher API</h3>
 
 JIRA: [SPARK-20922](https://issues.apache.org/jira/browse/SPARK-20922)
@@ -49,7 +102,7 @@ Credit:
 
 JIRA: [SPARK-20393](https://issues.apache.org/jira/browse/SPARK-20393)
 
-Severity: Low
+Severity: Medium
 
 Vendor: The Apache Software Foundation
 

http://git-wip-us.apache.org/repos/asf/spark-website/blob/85c47b70/site/security.html
----------------------------------------------------------------------
diff --git a/site/security.html b/site/security.html
index 4f30331..3e0aeac 100644
--- a/site/security.html
+++ b/site/security.html
@@ -210,6 +210,71 @@ non-public list that will reach the Apache Security team, 
as well as the Spark P
 
 <h2>Known Security Issues</h2>
 
+<h3 id="CVE-2018-8024">CVE-2018-8024: Apache Spark XSS vulnerability in UI</h3>
+
+<p>Versions Affected:</p>
+
+<ul>
+  <li>Spark versions through 2.1.2</li>
+  <li>Spark 2.2.0 through 2.2.1</li>
+  <li>Spark 2.3.0</li>
+</ul>
+
+<p>Description:
+In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, 
it&#8217;s possible for a malicious 
+user to construct a URL pointing to a Spark cluster&#8217;s UI&#8217;s job and 
stage info pages, and if a user can 
+be tricked into accessing the URL, can be used to cause script to execute and 
expose information from 
+the user&#8217;s view of the Spark UI. While some browsers like recent 
versions of Chrome and Safari are 
+able to block this type of attack, current versions of Firefox (and possibly 
others) do not.</p>
+
+<p>Mitigation:</p>
+
+<ul>
+  <li>1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer</li>
+  <li>2.2.x users should upgrade to 2.2.2 or newer</li>
+  <li>2.3.x users should upgrade to 2.3.1 or newer</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+  <li>Spencer Gietzen, Rhino Security Labs</li>
+</ul>
+
+<h3 id="CVE-2018-1334">CVE-2018-1334: Apache Spark local privilege escalation 
vulnerability</h3>
+
+<p>Severity: High</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions affected:</p>
+
+<ul>
+  <li>Spark versions through 2.1.2</li>
+  <li>Spark 2.2.0 to 2.2.1</li>
+  <li>Spark 2.3.0</li>
+</ul>
+
+<p>Description:
+In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when 
using PySpark or SparkR, 
+it&#8217;s possible for a different local user to connect to the Spark 
application and impersonate the 
+user running the Spark application.</p>
+
+<p>Mitigation:</p>
+
+<ul>
+  <li>1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer</li>
+  <li>2.2.x users should upgrade to 2.2.2 or newer</li>
+  <li>2.3.x users should upgrade to 2.3.1 or newer</li>
+  <li>Otherwise, affected users should avoid using PySpark and SparkR in 
multi-user environments.</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+  <li>Nehmé Tohmé, Cloudera, Inc.</li>
+</ul>
+
 <h3 id="CVE-2017-12612">CVE-2017-12612 Unsafe deserialization in Apache Spark 
launcher API</h3>
 
 <p>JIRA: <a 
href="https://issues.apache.org/jira/browse/SPARK-20922";>SPARK-20922</a></p>
@@ -244,7 +309,7 @@ Update to Apache Spark 2.1.2, 2.2.0 or later.</p>
 
 <p>JIRA: <a 
href="https://issues.apache.org/jira/browse/SPARK-20393";>SPARK-20393</a></p>
 
-<p>Severity: Low</p>
+<p>Severity: Medium</p>
 
 <p>Vendor: The Apache Software Foundation</p>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org

Reply via email to