I'm resending this CVE from several months ago to user@ and dev@, as
we understand that a tool to exploit it may be released soon.
The most straightforward mitigation for those that are affected (using
the standalone master, where spark.authenticate is necessary) is to
update to 2.4.6 or 3.0.0+.
F
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Spark 2.4.5 and earlier
Description:
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master
may
be configured to require authentication (spark.authenticate) via a
shared secret. When enabled,
