[ https://issues.apache.org/jira/browse/SPARK-20922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472393#comment-16472393 ]
Marcelo Vanzin commented on SPARK-20922: ---------------------------------------- You should also be able to use just the spark-launcher library from a 2.x version to launch Spark 1.6 jobs, without having to update the rest of the Spark dependencies. > Unsafe deserialization in Spark LauncherConnection > -------------------------------------------------- > > Key: SPARK-20922 > URL: https://issues.apache.org/jira/browse/SPARK-20922 > Project: Spark > Issue Type: Bug > Components: Spark Submit > Affects Versions: 2.1.1 > Reporter: Aditya Sharad > Assignee: Marcelo Vanzin > Priority: Major > Labels: security > Fix For: 2.0.3, 2.1.2, 2.2.0, 2.3.0 > > Attachments: spark-deserialize-master.zip > > > The {{run()}} method of the class > {{org.apache.spark.launcher.LauncherConnection}} performs unsafe > deserialization of data received by its socket. This makes Spark applications > launched programmatically using the {{SparkLauncher}} framework potentially > vulnerable to remote code execution by an attacker with access to any user > account on the local machine. Such an attacker could send a malicious > serialized Java object to multiple ports on the local machine, and if this > port matches the one (randomly) chosen by the Spark launcher, the malicious > object will be deserialized. By making use of gadget chains in code present > on the Spark application classpath, the deserialization process can lead to > RCE or privilege escalation. > This vulnerability is identified by the “Unsafe deserialization” rule on > lgtm.com: > https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java#V58 > > Attached is a proof-of-concept exploit involving a simple > {{SparkLauncher}}-based application and a known gadget chain in the Apache > Commons Beanutils library referenced by Spark. > See the readme file for demonstration instructions. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org