logo

Database

Excessive privileges In org.apache.spark:spark-core

Description

Apache Spark vulnerable to Improper Privilege Management In Apache Spark versions prior to versions 3.4.0 and 3.3.3, applications using spark-submit can specify a proxy-user to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.

Update to Apache Spark 3.4.0, 3.3.3, or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-229462. NVD-2023-229463. OSV-2023-229464. GCVE-2023-22946

References

1. https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv2. https://github.com/apache/spark/pull/394743. https://github.com/apache/spark/pull/414284. https://github.com/apache/spark/commit/909da96e1471886a01a9e1def93630c4fd40e74a5. https://github.com/degant/spark/commit/bfba57724d2520e0fcaa7990f7257c21d11cd75a6. https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-44.yaml7. https://issues.apache.org/jira/browse/SPARK-41958

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.