--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Shell Command Injection Vulnerability in Apache Spark' version: '1.0' number: '2022-058' original_date: 'July 18, 2022' date: 'August 3, 2022' --- _History:_ * _03/08/2022 --- v1.0 -- Initial publication_ # Summary On July 18, Apache Spark released a security bulletin [1] regarding a newly found critical vulnerability within Apache Spark's ACL implementation, tracked as **CVE-2022-33891** and with a CVSS score of 8.8 out of 10. The flaw was discovered by a security researcher, with the proof of concept (PoC) exploit already available on GitHub [2] and exploitation attempts in the wild being detected since, at least, July 26th. Apache Spark is an open-source, unified engine for large-scale data analytics, which executes data engineering, data science, and machine learning tasks. Additionally, it provides high-level APIs in multiple programming languages[3]. # Technical Details The flaw could allow adversaries to perform **arbitrary shell command execution** as a current Spark user. The issue stems from the Apache Spark UI ability to enable ACLs via the configuration option `spark.acls.enable`. If ACLs are enabled, a HttpSecurityFilter code path allows adversaries to perform impersonation by providing an arbitrary user name. In case of success, an attacker will be able to reach a permission check function, which will allow them to launch a Unix shell command. This eventually leads to the arbitrary shell command execution. # Affected Products The following Apache Spark versions are affected by this flaw: - 3.0.3 and earlier - 3.1.1 to 3.1.2 - 3.2.0 to 3.2.1 # Recommendations To ensure your instances are protected from exploitation attempts, it is highly recommended to upgrade to Apache Spark maintenance release: - 3.1.3 - 3.2.2 - 3.3.0 or later # References [1] [2] [3]