[jira] [Commented] (SPARK-20922) Unsafe deserialization in Spark LauncherConnection

Thu, 03 Aug 2017 04:45:17 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-20922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16112602#comment-16112602
 ] 

Sean Owen commented on SPARK-20922:
-----------------------------------

If you'd email a suggested CVE description to priv...@spark.apache.org, we can 
go through the motions of reporting it as one. The ASF process is: 
https://www.apache.org/security/ https://www.apache.org/security/projects.html

> Unsafe deserialization in Spark LauncherConnection
> --------------------------------------------------
>
>                 Key: SPARK-20922
>                 URL: https://issues.apache.org/jira/browse/SPARK-20922
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Submit
>    Affects Versions: 2.1.1
>            Reporter: Aditya Sharad
>            Assignee: Marcelo Vanzin
>              Labels: security
>             Fix For: 2.0.3, 2.1.2, 2.2.0, 2.3.0
>
>         Attachments: spark-deserialize-master.zip
>
>
> The {{run()}} method of the class 
> {{org.apache.spark.launcher.LauncherConnection}} performs unsafe 
> deserialization of data received by its socket. This makes Spark applications 
> launched programmatically using the {{SparkLauncher}} framework potentially 
> vulnerable to remote code execution by an attacker with access to any user 
> account on the local machine. Such an attacker could send a malicious 
> serialized Java object to multiple ports on the local machine, and if this 
> port matches the one (randomly) chosen by the Spark launcher, the malicious 
> object will be deserialized. By making use of gadget chains in code present 
> on the Spark application classpath, the deserialization process can lead to 
> RCE or privilege escalation.
> This vulnerability is identified by the “Unsafe deserialization” rule on 
> lgtm.com:
> https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java#V58
>  
> Attached is a proof-of-concept exploit involving a simple 
> {{SparkLauncher}}-based application and a known gadget chain in the Apache 
> Commons Beanutils library referenced by Spark.
> See the readme file for demonstration instructions.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to