[jira] [Commented] (SPARK-20922) Unsafe deserialization in Spark LauncherConnection

[Marcelo Vanzin (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SPARK-20922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472231#comment-16472231
 ] 

Marcelo Vanzin commented on SPARK-20922:
----------------------------------------

I think Spark 1.6 at this point is considered EOL by the community; there are 
no more planned releases for that line that I know of.

> Unsafe deserialization in Spark LauncherConnection
> --------------------------------------------------
>
>                 Key: SPARK-20922
>                 URL: https://issues.apache.org/jira/browse/SPARK-20922
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Submit
>    Affects Versions: 2.1.1
>            Reporter: Aditya Sharad
>            Assignee: Marcelo Vanzin
>            Priority: Major
>              Labels: security
>             Fix For: 2.0.3, 2.1.2, 2.2.0, 2.3.0
>
>         Attachments: spark-deserialize-master.zip
>
>
> The {{run()}} method of the class 
> {{org.apache.spark.launcher.LauncherConnection}} performs unsafe 
> deserialization of data received by its socket. This makes Spark applications 
> launched programmatically using the {{SparkLauncher}} framework potentially 
> vulnerable to remote code execution by an attacker with access to any user 
> account on the local machine. Such an attacker could send a malicious 
> serialized Java object to multiple ports on the local machine, and if this 
> port matches the one (randomly) chosen by the Spark launcher, the malicious 
> object will be deserialized. By making use of gadget chains in code present 
> on the Spark application classpath, the deserialization process can lead to 
> RCE or privilege escalation.
> This vulnerability is identified by the “Unsafe deserialization” rule on 
> lgtm.com:
> https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java#V58
>  
> Attached is a proof-of-concept exploit involving a simple 
> {{SparkLauncher}}-based application and a known gadget chain in the Apache 
> Commons Beanutils library referenced by Spark.
> See the readme file for demonstration instructions.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org