[
https://issues.apache.org/jira/browse/SPARK-11682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15001690#comment-15001690
]
Marcelo Vanzin commented on SPARK-11682:
----------------------------------------
If you want to look at exploitability of this, the only potential places are
the Master / Worker daemons, since they accept serialized objects over akka /
spark rpc. But I've never seen commons-collection being used in Spark. The code
you mention is not susceptible to attacks, nor is any other part of Spark I can
think of, since they just consume serialized data created by Spark itself.
> Commons-collections object deserialization may expose remote command
> execution vulnerability
> --------------------------------------------------------------------------------------------
>
> Key: SPARK-11682
> URL: https://issues.apache.org/jira/browse/SPARK-11682
> Project: Spark
> Issue Type: Bug
> Reporter: Ted Yu
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and
> process Java object serialization data, then you may have an exploitable
> remote command execution vulnerability.
> In ./launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java
> :
> {code}
> ObjectInputStream in = new ObjectInputStream(socket.getInputStream());
> while (!closed) {
> Message msg = (Message) in.readObject();
> {code}
> There may be other occurrence(s).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
