[jira] [Commented] (SPARK-11652) Remote code execution with InvokerTransformer
[ https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046619#comment-15046619 ] meiyoula commented on SPARK-11652: -- [~darabos] Can you have a look on the patch merged by owen, I think the artifactId of the dependency is wrong. > Remote code execution with InvokerTransformer > - > > Key: SPARK-11652 > URL: https://issues.apache.org/jira/browse/SPARK-11652 > Project: Spark > Issue Type: Bug > Components: Spark Core >Reporter: Daniel Darabos >Assignee: Sean Owen >Priority: Minor > Fix For: 1.4.2, 1.5.3, 1.6.0 > > > There is a remote code execution vulnerability in the Apache Commons > collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) > that can be exploited simply by causing malicious data to be deserialized > using Java serialization. > As Spark is used in security-conscious environments I think it's worth taking > a closer look at how the vulnerability affects Spark. What are the points > where Spark deserializes external data? Which are affected by using Kryo > instead of Java serialization? What mitigation strategies are available? > If the issue is serious enough but mitigation is possible, it may be useful > to post about it on the mailing list or blog. > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-11652) Remote code execution with InvokerTransformer
[ https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046738#comment-15046738 ] Apache Spark commented on SPARK-11652: -- User 'srowen' has created a pull request for this issue: https://github.com/apache/spark/pull/10198 > Remote code execution with InvokerTransformer > - > > Key: SPARK-11652 > URL: https://issues.apache.org/jira/browse/SPARK-11652 > Project: Spark > Issue Type: Bug > Components: Spark Core >Reporter: Daniel Darabos >Assignee: Sean Owen >Priority: Minor > Fix For: 1.4.2, 1.5.3, 1.6.0 > > > There is a remote code execution vulnerability in the Apache Commons > collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) > that can be exploited simply by causing malicious data to be deserialized > using Java serialization. > As Spark is used in security-conscious environments I think it's worth taking > a closer look at how the vulnerability affects Spark. What are the points > where Spark deserializes external data? Which are affected by using Kryo > instead of Java serialization? What mitigation strategies are available? > If the issue is serious enough but mitigation is possible, it may be useful > to post about it on the mailing list or blog. > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-11652) Remote code execution with InvokerTransformer
[ https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006413#comment-15006413 ] Apache Spark commented on SPARK-11652: -- User 'srowen' has created a pull request for this issue: https://github.com/apache/spark/pull/9731 > Remote code execution with InvokerTransformer > - > > Key: SPARK-11652 > URL: https://issues.apache.org/jira/browse/SPARK-11652 > Project: Spark > Issue Type: Bug > Components: Spark Core >Reporter: Daniel Darabos >Priority: Minor > > There is a remote code execution vulnerability in the Apache Commons > collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) > that can be exploited simply by causing malicious data to be deserialized > using Java serialization. > As Spark is used in security-conscious environments I think it's worth taking > a closer look at how the vulnerability affects Spark. What are the points > where Spark deserializes external data? Which are affected by using Kryo > instead of Java serialization? What mitigation strategies are available? > If the issue is serious enough but mitigation is possible, it may be useful > to post about it on the mailing list or blog. > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-11652) Remote code execution with InvokerTransformer
[ https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006412#comment-15006412 ] Sean Owen commented on SPARK-11652: --- Looks like 3.2.2 is out with bug fixes, including disabling the affected code path by default. I'll open a PR to update from 3.2.1 to 3.2.2 just to be sure. https://commons.apache.org/proper/commons-collections/release_3_2_2.html > Remote code execution with InvokerTransformer > - > > Key: SPARK-11652 > URL: https://issues.apache.org/jira/browse/SPARK-11652 > Project: Spark > Issue Type: Bug > Components: Spark Core >Reporter: Daniel Darabos >Priority: Minor > > There is a remote code execution vulnerability in the Apache Commons > collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) > that can be exploited simply by causing malicious data to be deserialized > using Java serialization. > As Spark is used in security-conscious environments I think it's worth taking > a closer look at how the vulnerability affects Spark. What are the points > where Spark deserializes external data? Which are affected by using Kryo > instead of Java serialization? What mitigation strategies are available? > If the issue is serious enough but mitigation is possible, it may be useful > to post about it on the mailing list or blog. > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-11652) Remote code execution with InvokerTransformer
[ https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15003982#comment-15003982 ] Daniel Darabos commented on SPARK-11652: > I may be missing some point, but Spark isn't consuming serialized data from > untrusted sources in general, right? The risk here is way down the list of > risks if untrusted sources are sending closures to your cluster. I was thinking of seemingly harmless things like executor heartbeats and stuff like that. I've never looked at how authentication is implemented. All communications on all ports are authenticated? If so, then I don't see any way to exploit this either. Sorry for the noise then. > Remote code execution with InvokerTransformer > - > > Key: SPARK-11652 > URL: https://issues.apache.org/jira/browse/SPARK-11652 > Project: Spark > Issue Type: Bug > Components: Spark Core >Reporter: Daniel Darabos >Priority: Minor > > There is a remote code execution vulnerability in the Apache Commons > collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) > that can be exploited simply by causing malicious data to be deserialized > using Java serialization. > As Spark is used in security-conscious environments I think it's worth taking > a closer look at how the vulnerability affects Spark. What are the points > where Spark deserializes external data? Which are affected by using Kryo > instead of Java serialization? What mitigation strategies are available? > If the issue is serious enough but mitigation is possible, it may be useful > to post about it on the mailing list or blog. > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-11652) Remote code execution with InvokerTransformer
[ https://issues.apache.org/jira/browse/SPARK-11652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15000858#comment-15000858 ] Sean Owen commented on SPARK-11652: --- I may be missing some point, but Spark isn't consuming serialized data from untrusted sources in general, right? The risk here is way down the list of risks if untrusted sources are sending closures to your cluster. > Remote code execution with InvokerTransformer > - > > Key: SPARK-11652 > URL: https://issues.apache.org/jira/browse/SPARK-11652 > Project: Spark > Issue Type: Bug > Components: Spark Core >Reporter: Daniel Darabos >Priority: Minor > > There is a remote code execution vulnerability in the Apache Commons > collections library (https://issues.apache.org/jira/browse/COLLECTIONS-580) > that can be exploited simply by causing malicious data to be deserialized > using Java serialization. > As Spark is used in security-conscious environments I think it's worth taking > a closer look at how the vulnerability affects Spark. What are the points > where Spark deserializes external data? Which are affected by using Kryo > instead of Java serialization? What mitigation strategies are available? > If the issue is serious enough but mitigation is possible, it may be useful > to post about it on the mailing list or blog. > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
