[ 
https://issues.apache.org/jira/browse/SPARK-20922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16389809#comment-16389809
 ] 

Patrick John Esteban commented on SPARK-20922:
----------------------------------------------

Hi Guys,

I'm new to this vulnerability. Can someone share step by step procedure on how 
to remediate this vulnerability (Unsafe deserialization in Spark 
LauncherConnection). I've saw in this thread that there is an attached file 
(spark-deserialize-master.zip). Can someone share step by step on how to use 
this in our Linux machine? Btw, we're using CentOS.

> Unsafe deserialization in Spark LauncherConnection
> --------------------------------------------------
>
>                 Key: SPARK-20922
>                 URL: https://issues.apache.org/jira/browse/SPARK-20922
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Submit
>    Affects Versions: 2.1.1
>            Reporter: Aditya Sharad
>            Assignee: Marcelo Vanzin
>            Priority: Major
>              Labels: security
>             Fix For: 2.0.3, 2.1.2, 2.2.0, 2.3.0
>
>         Attachments: spark-deserialize-master.zip
>
>
> The {{run()}} method of the class 
> {{org.apache.spark.launcher.LauncherConnection}} performs unsafe 
> deserialization of data received by its socket. This makes Spark applications 
> launched programmatically using the {{SparkLauncher}} framework potentially 
> vulnerable to remote code execution by an attacker with access to any user 
> account on the local machine. Such an attacker could send a malicious 
> serialized Java object to multiple ports on the local machine, and if this 
> port matches the one (randomly) chosen by the Spark launcher, the malicious 
> object will be deserialized. By making use of gadget chains in code present 
> on the Spark application classpath, the deserialization process can lead to 
> RCE or privilege escalation.
> This vulnerability is identified by the “Unsafe deserialization” rule on 
> lgtm.com:
> https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java#V58
>  
> Attached is a proof-of-concept exploit involving a simple 
> {{SparkLauncher}}-based application and a known gadget chain in the Apache 
> Commons Beanutils library referenced by Spark.
> See the readme file for demonstration instructions.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to