Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7AF42200CA9 for ; Thu, 1 Jun 2017 23:47:11 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7990C160BC1; Thu, 1 Jun 2017 21:47:11 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C2E53160BE0 for ; Thu, 1 Jun 2017 23:47:10 +0200 (CEST) Received: (qmail 1767 invoked by uid 500); 1 Jun 2017 21:47:09 -0000 Mailing-List: contact issues-help@spark.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@spark.apache.org Received: (qmail 1619 invoked by uid 99); 1 Jun 2017 21:47:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Jun 2017 21:47:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id EBAAAC06D2 for ; Thu, 1 Jun 2017 21:47:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.001 X-Spam-Level: X-Spam-Status: No, score=-100.001 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id cRwkjgfhh1dG for ; Thu, 1 Jun 2017 21:47:07 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id B41755FDE9 for ; Thu, 1 Jun 2017 21:47:06 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 11284E0A2F for ; Thu, 1 Jun 2017 21:47:06 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 21A7021B57 for ; Thu, 1 Jun 2017 21:47:05 +0000 (UTC) Date: Thu, 1 Jun 2017 21:47:05 +0000 (UTC) From: "Marcelo Vanzin (JIRA)" To: issues@spark.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (SPARK-20922) Unsafe deserialization in Spark LauncherConnection MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 01 Jun 2017 21:47:11 -0000 [ https://issues.apache.org/jira/browse/SPARK-20922?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:all-tabpanel ] Marcelo Vanzin resolved SPARK-20922. ------------------------------------ Resolution: Fixed Assignee: Marcelo Vanzin Fix Version/s: 2.3.0 2.2.1 2.1.2 2.0.3 > Unsafe deserialization in Spark LauncherConnection > -------------------------------------------------- > > Key: SPARK-20922 > URL: https://issues.apache.org/jira/browse/SPARK-20922 > Project: Spark > Issue Type: Bug > Components: Spark Submit > Affects Versions: 2.1.1 > Reporter: Aditya Sharad > Assignee: Marcelo Vanzin > Labels: security > Fix For: 2.0.3, 2.1.2, 2.2.1, 2.3.0 > > Attachments: spark-deserialize-master.zip > > > The {{run()}} method of the class {{org.apache.spark.launcher.LauncherCon= nection}} performs unsafe deserialization of data received by its socket. T= his makes Spark applications launched programmatically using the {{SparkLau= ncher}} framework potentially vulnerable to remote code execution by an att= acker with access to any user account on the local machine. Such an attacke= r could send a malicious serialized Java object to multiple ports on the lo= cal machine, and if this port matches the one (randomly) chosen by the Spar= k launcher, the malicious object will be deserialized. By making use of gad= get chains in code present on the Spark application classpath, the deserial= ization process can lead to RCE or privilege escalation. > This vulnerability is identified by the =E2=80=9CUnsafe deserialization= =E2=80=9D rule on lgtm.com: > https://lgtm.com/projects/g/apache/spark/snapshot/80fdc2c9d1693f5b3402a79= ca4ec76f6e422ff13/files/launcher/src/main/java/org/apache/spark/launcher/La= uncherConnection.java#V58=20 > Attached is a proof-of-concept exploit involving a simple {{SparkLauncher= }}-based application and a known gadget chain in the Apache Commons Beanuti= ls library referenced by Spark. > See the readme file for demonstration instructions. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org For additional commands, e-mail: issues-help@spark.apache.org