spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcelo Vanzin (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (SPARK-20922) Unsafe deserialization in Spark LauncherConnection
Date Thu, 01 Jun 2017 21:47:05 GMT

     [ https://issues.apache.org/jira/browse/SPARK-20922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Marcelo Vanzin resolved SPARK-20922.
------------------------------------
       Resolution: Fixed
         Assignee: Marcelo Vanzin
    Fix Version/s: 2.3.0
                   2.2.1
                   2.1.2
                   2.0.3

> Unsafe deserialization in Spark LauncherConnection
> --------------------------------------------------
>
>                 Key: SPARK-20922
>                 URL: https://issues.apache.org/jira/browse/SPARK-20922
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Submit
>    Affects Versions: 2.1.1
>            Reporter: Aditya Sharad
>            Assignee: Marcelo Vanzin
>              Labels: security
>             Fix For: 2.0.3, 2.1.2, 2.2.1, 2.3.0
>
>         Attachments: spark-deserialize-master.zip
>
>
> The {{run()}} method of the class {{org.apache.spark.launcher.LauncherConnection}} performs
unsafe deserialization of data received by its socket. This makes Spark applications launched
programmatically using the {{SparkLauncher}} framework potentially vulnerable to remote code
execution by an attacker with access to any user account on the local machine. Such an attacker
could send a malicious serialized Java object to multiple ports on the local machine, and
if this port matches the one (randomly) chosen by the Spark launcher, the malicious object
will be deserialized. By making use of gadget chains in code present on the Spark application
classpath, the deserialization process can lead to RCE or privilege escalation.
> This vulnerability is identified by the “Unsafe deserialization” rule on lgtm.com:
> https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java#V58

> Attached is a proof-of-concept exploit involving a simple {{SparkLauncher}}-based application
and a known gadget chain in the Apache Commons Beanutils library referenced by Spark.
> See the readme file for demonstration instructions.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message