Apache Spark <= 3.0.3 / 3.1.1 < 3.1.3 / 3.2.x < 3.2.1 RCE (CVE-2022-33891)

high Nessus Plugin ID 172446

Synopsis

The remote host contains a web application that is affected by a remote command execution vulnerability.

Description

A remote code execution vulnerability exists in Apache Spark. The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Solution

Upgrade Apache Spark to 3.1.3, 3.2.2, 3.3.0, or later.

See Also

https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc

Plugin Details

Severity: High

ID: 172446

File Name: apache_spark_cve-2022-33891.nbin

Version: 1.9

Type: remote

Family: Misc.

Published: 3/10/2023

Updated: 7/17/2023

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-33891

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:spark

Required KB Items: installed_sw/Apache Spark

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 7/17/2022

Vulnerability Publication Date: 7/17/2022

CISA Known Exploited Vulnerability Due Dates: 3/28/2023

Exploitable With

Metasploit (Apache Spark Unauthenticated Command Injection RCE)

Reference Information

CVE: CVE-2022-33891