Daniel Darabos created SPARK-11652:
--------------------------------------
Summary: Remote code execution with InvokerTransformer
Key: SPARK-11652
URL: https://issues.apache.org/jira/browse/SPARK-11652
Project: Spark
Issue Type: Bug
Reporter: Daniel Darabos
Priority: Minor
There is a remote code execution vulnerability in the Apache Commons
collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580)
that can be exploited simply by causing malicious data to be deserialized using
Java serialization.
As Spark is used in security-conscious environments I think it's worth taking a
closer look at how the vulnerability affects Spark. What are the points where
Spark deserializes external data? Which are affected by using Kryo instead of
Java serialization? What mitigation strategies are available?
If the issue is serious enough but mitigation is possible, it may be useful to
post about it on the mailing list or blog.
Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
