Fluid Attacks Database

Description

Sensitive data written to disk unencrypted in Spark Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.apache.spark:spark-core_2.11	>=0 <2.3.3	2.3.3
pypi	pyspark	>=0 <2.3.3	2.3.3
maven	org.apache.spark:spark-core	>=1.0.2 <=1.6.3 \|\| >=2.0.0 <=2.0.2 \|\| >=2.1.0 <=2.1.3 \|\| >=2.2.0 <=2.2.2 \|\| >=2.3.0 <2.3.2	2.3.2

Aliases

1. CVE-2019-100992. NVD-2019-100993. OSV-2019-100994. GCVE-2019-10099

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-114.yaml2. https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E3. https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae@%3Ccommits.spark.apache.org%3E4. https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2@%3Cissues.spark.apache.org%3E

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.