Improper Authentication in Apache Spark
Critical severity
GitHub Reviewed
Published
Feb 10, 2022
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
<= 2.4.5
Patched versions
2.4.6
Description
Published by the National Vulnerability Database
Jun 23, 2020
Reviewed
May 11, 2021
Published to the GitHub Advisory Database
Feb 10, 2022
Last updated
Feb 1, 2023
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
References