[
https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046738#comment-15046738
]
Apache Spark commented on SPARK-11652:
--------------------------------------
User 'srowen' has created a pull request for this issue:
https://github.com/apache/spark/pull/10198
> Remote code execution with InvokerTransformer
> ---------------------------------------------
>
> Key: SPARK-11652
> URL: https://issues.apache.org/jira/browse/SPARK-11652
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Reporter: Daniel Darabos
> Assignee: Sean Owen
> Priority: Minor
> Fix For: 1.4.2, 1.5.3, 1.6.0
>
>
> There is a remote code execution vulnerability in the Apache Commons
> collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580)
> that can be exploited simply by causing malicious data to be deserialized
> using Java serialization.
> As Spark is used in security-conscious environments I think it's worth taking
> a closer look at how the vulnerability affects Spark. What are the points
> where Spark deserializes external data? Which are affected by using Kryo
> instead of Java serialization? What mitigation strategies are available?
> If the issue is serious enough but mitigation is possible, it may be useful
> to post about it on the mailing list or blog.
> Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
