Re: CVE-2022-33891 mitigation

2022-11-21 Thread Kostya Kortchinsky 
Correct: as per the code below from SecurityManager.scala, if acls aren't
enabled, we skip the vulnerable code path (getCurrentUserGroups)

  private def isUserInACL(
  user: String,
  aclUsers: Set[String],
  aclGroups: Set[String]): Boolean = {
if (user == null ||
!aclsEnabled ||
aclUsers.contains(WILDCARD_ACL) ||
aclUsers.contains(user) ||
aclGroups.contains(WILDCARD_ACL)) {
  true
} else {
  val userGroups = Utils.getCurrentUserGroups(sparkConf, user)
  logDebug(s"user $user is in groups ${userGroups.mkString(",")}")
  aclGroups.exists(userGroups.contains(_))
}
  }

On Mon, Nov 21, 2022 at 1:17 PM Sean Owen  wrote:

> CCing Kostya for a better view, but I believe that this will not be an
> issue if you're not using the ACLs in Spark, yes.
>
> On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio 
> wrote:
>
>> I am using Spark 2.3.0 and trying to mitigate
>> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do
>> is to update. However, I am told this is not happening. Thus, I am trying
>> to determine if the following are set:
>>
>>
>> spark.acls.enable false
>>
>> spark.history.ui.acls.enable false
>>
>>
>> These are 100% set in the config. I checked the config for weird
>> whitespace issues in a hex editor. Nonetheless, the config does not show up
>> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I
>> can see this:
>>
>>
>>
>> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at
>> position
>>
>>
>>
>> I am not able to find this in VisualVM or MAT to determine what that is
>> set to. Any thoughts?
>>
>>
>>
>>
>>
>> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic
>> *
>>
>> Perforce Software
>> 
>>
>> P: +1 612.517.2100
>>
>> Visit us on: LinkedIn
>> 
>>  | Twitter
>> 
>>  | Facebook
>> 
>>  | YouTube
>> 
>>
>>
>>
>> *Use our new Community portal to submit/track support cases!
>> *
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>

Re: CVE-2022-33891 mitigation

2022-11-21 Thread Sean Owen 
CCing Kostya for a better view, but I believe that this will not be an
issue if you're not using the ACLs in Spark, yes.

On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio 
wrote:

> I am using Spark 2.3.0 and trying to mitigate
> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do
> is to update. However, I am told this is not happening. Thus, I am trying
> to determine if the following are set:
>
>
> spark.acls.enable false
>
> spark.history.ui.acls.enable false
>
>
> These are 100% set in the config. I checked the config for weird
> whitespace issues in a hex editor. Nonetheless, the config does not show up
> in the UI. Thus, I took a heap dump. If I read the heap dump in text mode I
> can see this:
>
>
>
> V is abstract � ��spark.acls.enable1 � 0invalid end of optional part at
> position
>
>
>
> I am not able to find this in VisualVM or MAT to determine what that is
> set to. Any thoughts?
>
>
>
>
>
> *Andrew Pomponio | Associate Enterprise Architect, OpenLogic
> *
>
> Perforce Software
> 
>
> P: +1 612.517.2100
>
> Visit us on: LinkedIn
> 
>  | Twitter
> 
>  | Facebook
> 
>  | YouTube
> 
>
>
>
> *Use our new Community portal to submit/track support cases!
> *
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>

CVE-2022-33891 mitigation

2022-11-21 Thread Andrew Pomponio 
I am using Spark 2.3.0 and trying to mitigate 
https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do is to 
update. However, I am told this is not happening. Thus, I am trying to 
determine if the following are set:

spark.acls.enable false
spark.history.ui.acls.enable false

These are 100% set in the config. I checked the config for weird whitespace 
issues in a hex editor. Nonetheless, the config does not show up in the UI. 
Thus, I took a heap dump. If I read the heap dump in text mode I can see this:

V is abstract���spark.acls.enable1�0invalid end of optional part at position

I am not able to find this in VisualVM or MAT to determine what that is set to. 
Any thoughts?


Andrew Pomponio | Associate Enterprise Architect, 
OpenLogic
Perforce 
Software
P: +1 612.517.2100 
Visit us on: 
LinkedIn
 | 
Twitter
 | 
Facebook
 | 
YouTube

Use our new Community portal to submit/track support 
cases!



This e-mail may contain information that is privileged or confidential. If you 
are not the intended recipient, please delete the e-mail and any attachments 
and notify us immediately.