Repository: spark-website Updated Branches: refs/heads/asf-site a45ba4718 -> e4b87718d
CVE-2018-11804 Project: http://git-wip-us.apache.org/repos/asf/spark-website/repo Commit: http://git-wip-us.apache.org/repos/asf/spark-website/commit/e4b87718 Tree: http://git-wip-us.apache.org/repos/asf/spark-website/tree/e4b87718 Diff: http://git-wip-us.apache.org/repos/asf/spark-website/diff/e4b87718 Branch: refs/heads/asf-site Commit: e4b87718dca2e36c3eba08b10cc54f0c23abd1bb Parents: a45ba47 Author: Sean Owen <[email protected]> Authored: Wed Oct 24 11:26:23 2018 -0500 Committer: Sean Owen <[email protected]> Committed: Wed Oct 24 11:26:23 2018 -0500 ---------------------------------------------------------------------- security.md | 33 +++++++++++++++++++++++++++++++++ site/security.html | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/spark-website/blob/e4b87718/security.md ---------------------------------------------------------------------- diff --git a/security.md b/security.md index 9883d62..28ce10c 100644 --- a/security.md +++ b/security.md @@ -18,6 +18,39 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known Security Issues</h2> + +<h3 id="CVE-2018-11804">CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines</h3> + +Severity: Low + +Vendor: The Apache Software Foundation + +Versions Affected + +- 1.3.x release branch and later + +Description: + +Spark's Apache Maven-based build includes a convenience script, 'build/mvn', +that downloads and runs a zinc server to speed up compilation. This server +will accept connections from external hosts by default. A specially-crafted +request to the zinc server could cause it to reveal information in files +readable to the developer account running the build. Note that this issue +does not affect end users of Spark, only developers building Spark from +source code. + +Mitigation: + +- Spark users are not affected, as zinc is only a part of the build process. +- Spark developers may simply use a local Maven installation's 'mvn' command to build, and avoid running build/mvn and zinc. +- Spark developers building actively-developed branches (2.2.x, 2.3.x, 2.4.x, master) may update their branches to receive mitigations already patched onto the build/mvn script +- Spark developers running zinc separately may include "-server 127.0.0.1" in its command line, and consider additional flags like "-idle-timeout 30m" to achieve similar mitigation. + +Credit: + +- Andre Protas, Apple Information Security + + <h3 id="CVE-2018-11770">CVE-2018-11770: Apache Spark standalone master, Mesos REST APIs not controlled by authentication</h3> Severity: Medium http://git-wip-us.apache.org/repos/asf/spark-website/blob/e4b87718/site/security.html ---------------------------------------------------------------------- diff --git a/site/security.html b/site/security.html index 6b7e840..5263af9 100644 --- a/site/security.html +++ b/site/security.html @@ -211,6 +211,43 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known Security Issues</h2> +<h3 id="CVE-2018-11804">CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines</h3> + +<p>Severity: Low</p> + +<p>Vendor: The Apache Software Foundation</p> + +<p>Versions Affected</p> + +<ul> + <li>1.3.x release branch and later</li> +</ul> + +<p>Description:</p> + +<p>Spark’s Apache Maven-based build includes a convenience script, ‘build/mvn’, +that downloads and runs a zinc server to speed up compilation. This server +will accept connections from external hosts by default. A specially-crafted +request to the zinc server could cause it to reveal information in files +readable to the developer account running the build. Note that this issue +does not affect end users of Spark, only developers building Spark from +source code.</p> + +<p>Mitigation:</p> + +<ul> + <li>Spark users are not affected, as zinc is only a part of the build process.</li> + <li>Spark developers may simply use a local Maven installation’s ‘mvn’ command to build, and avoid running build/mvn and zinc.</li> + <li>Spark developers building actively-developed branches (2.2.x, 2.3.x, 2.4.x, master) may update their branches to receive mitigations already patched onto the build/mvn script</li> + <li>Spark developers running zinc separately may include “-server 127.0.0.1” in its command line, and consider additional flags like “-idle-timeout 30m” to achieve similar mitigation.</li> +</ul> + +<p>Credit:</p> + +<ul> + <li>Andre Protas, Apple Information Security</li> +</ul> + <h3 id="CVE-2018-11770">CVE-2018-11770: Apache Spark standalone master, Mesos REST APIs not controlled by authentication</h3> <p>Severity: Medium</p> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
