[jira] [Resolved] (SPARK-11682) Commons-collections object deserialization may expose remote command execution vulnerability

Sean Owen (JIRA) Thu, 12 Nov 2015 03:48:07 -0800

     [ 
https://issues.apache.org/jira/browse/SPARK-11682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sean Owen resolved SPARK-11682.
-------------------------------
    Resolution: Duplicate

[~tedyu] I think you're familiar enough with this project to know to have a 
look for duplicates first. 

> Commons-collections object deserialization may expose remote command 
> execution vulnerability
> --------------------------------------------------------------------------------------------
>
>                 Key: SPARK-11682
>                 URL: https://issues.apache.org/jira/browse/SPARK-11682
>             Project: Spark
>          Issue Type: Bug
>            Reporter: Ted Yu
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and 
> process Java object serialization data, then you may have an exploitable 
> remote command execution vulnerability.
> In ./launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java 
> :
> {code}
>       ObjectInputStream in = new ObjectInputStream(socket.getInputStream());
>       while (!closed) {
>         Message msg = (Message) in.readObject();
> {code}
> There may be other occurrence(s).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Resolved] (SPARK-11682) Commons-collections object deserialization may expose remote command execution vulnerability

Reply via email to