Apache Spark <= 3.0.3 / 3.1.x > 3.1.1 / 3.2.x < 3.2.1 RCE (CVE-2022-33891)

high Nessus Plugin ID 173429

Synopsis

The remote host contains a web application that is affected by a remote command execution vulnerability.

Description

A remote code execution vulnerability exists in Apache Spark. The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 through 3.1.3, and versions 3.2.0 to 3.2.1.

Note that 3.1.3 was originally declared not to be vulnerable but this was updated in CVE-2023-32007.

Solution

Upgrade Apache Spark to 3.2.2, 3.3.0, or later.

See Also

https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc

https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv

Plugin Details

Severity: High

ID: 173429

File Name: apache_spark_rce_cve-2022-33891.nasl

Version: 1.2

Type: remote

Family: Misc.

Published: 3/27/2023

Updated: 10/24/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-32007

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:spark

Required KB Items: installed_sw/Apache Spark

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 7/17/2022

Vulnerability Publication Date: 7/17/2022

CISA Known Exploited Vulnerability Due Dates: 3/28/2023

Exploitable With

Metasploit (Apache Spark Unauthenticated Command Injection RCE)

Reference Information

CVE: CVE-2022-33891, CVE-2023-32007