Correct: as per the code below from SecurityManager.scala, if acls aren't
enabled, we skip the vulnerable code path (getCurrentUserGroups)
private def isUserInACL(
user: String,
aclUsers: Set[String],
aclGroups: Set[String]): Boolean = {
if (user == null ||
CCing Kostya for a better view, but I believe that this will not be an
issue if you're not using the ACLs in Spark, yes.
On Mon, Nov 21, 2022 at 2:38 PM Andrew Pomponio
wrote:
> I am using Spark 2.3.0 and trying to mitigate
> https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to
I am using Spark 2.3.0 and trying to mitigate
https://nvd.nist.gov/vuln/detail/CVE-2022-33891. The correct thing to do is to
update. However, I am told this is not happening. Thus, I am trying to
determine if the following are set:
spark.acls.enable false
spark.history.ui.acls.enable false