{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-058.pdf"
    },
    "title": "Critical Shell Command Injection Vulnerability in Apache Spark",
    "serial_number": "2022-058",
    "publish_date": "03-08-2022 07:15:00",
    "description": "On July 18, Apache Spark released a security bulletin regarding a newly found critical vulnerability within Apache Spark's ACL implementation, tracked as CVE-2022-33891 and with a CVSS score of 8.8 out of 10. The flaw was discovered by a security researcher, with the proof of concept (PoC) exploit already available on GitHub and exploitation attempts in the wild being detected since, at least, July 26th.<br><br>Apache Spark is an open-source, unified engine for large-scale data analytics, which executes data engineering, data science, and machine learning tasks. Additionally, it provides high-level APIs in multiple programming languages.",
    "url_title": "2022-058",
    "content_markdown": "---\ntitle: 'Critical Shell Command Injection Vulnerability in Apache Spark'\nversion: '1.0'\nnumber: '2022-058'\noriginal_date: 'July 18, 2022'\ndate: 'August 3, 2022'\n---\n\n_History:_\n\n* _03/08/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn July 18, Apache Spark released a security bulletin [1] regarding a newly found critical vulnerability within Apache Spark's ACL implementation, tracked as **CVE-2022-33891** and with a CVSS score of 8.8 out of 10. The flaw was discovered by a security researcher, with the proof of concept (PoC) exploit already available on GitHub [2] and exploitation attempts in the wild being detected since, at least, July 26th.\n\nApache Spark is an open-source, unified engine for large-scale data analytics, which executes data engineering, data science, and machine learning tasks. Additionally, it provides high-level APIs in multiple programming languages[3].\n\n# Technical Details\n\nThe flaw could allow adversaries to perform **arbitrary shell command execution** as a current Spark user. The issue stems from the Apache Spark UI ability to enable ACLs via the configuration option `spark.acls.enable`. \n\nIf ACLs are enabled, a HttpSecurityFilter code path allows adversaries to perform impersonation by providing an arbitrary user name. In case of success, an attacker will be able to reach a permission check function, which will allow them to launch a Unix shell command. This eventually leads to the arbitrary shell command execution.\n\n# Affected Products\n\nThe following Apache Spark versions are affected by this flaw:\n\n- 3.0.3 and earlier\n- 3.1.1 to 3.1.2\n- 3.2.0 to 3.2.1\n\n# Recommendations\n\nTo ensure your instances are protected from exploitation attempts, it is highly recommended to upgrade to Apache Spark maintenance release:\n\n- 3.1.3\n- 3.2.2 \n- 3.3.0 or later\n\n# References\n\n[1] <https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc>\n\n[2] <https://github.com/W01fh4cker/cve-2022-33891>\n\n[3] <https://spark.apache.org/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>03/08/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 18, Apache Spark released a security bulletin [1] regarding a newly found critical vulnerability within Apache Spark's ACL implementation, tracked as <strong>CVE-2022-33891</strong> and with a CVSS score of 8.8 out of 10. The flaw was discovered by a security researcher, with the proof of concept (PoC) exploit already available on GitHub [2] and exploitation attempts in the wild being detected since, at least, July 26th.</p><p>Apache Spark is an open-source, unified engine for large-scale data analytics, which executes data engineering, data science, and machine learning tasks. Additionally, it provides high-level APIs in multiple programming languages[3].</p><h2 id=\"technical-details\">Technical Details</h2><p>The flaw could allow adversaries to perform <strong>arbitrary shell command execution</strong> as a current Spark user. The issue stems from the Apache Spark UI ability to enable ACLs via the configuration option <code>spark.acls.enable</code>. </p><p>If ACLs are enabled, a HttpSecurityFilter code path allows adversaries to perform impersonation by providing an arbitrary user name. In case of success, an attacker will be able to reach a permission check function, which will allow them to launch a Unix shell command. This eventually leads to the arbitrary shell command execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following Apache Spark versions are affected by this flaw:</p><ul><li>3.0.3 and earlier</li><li>3.1.1 to 3.1.2</li><li>3.2.0 to 3.2.1</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>To ensure your instances are protected from exploitation attempts, it is highly recommended to upgrade to Apache Spark maintenance release:</p><ul><li>3.1.3</li><li>3.2.2 </li><li>3.3.0 or later</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\">https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/W01fh4cker/cve-2022-33891\">https://github.com/W01fh4cker/cve-2022-33891</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://spark.apache.org/\">https://spark.apache.org/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}