BIT-spark-2022-33891
Impersonation vulnerability in spark-parent_2.12 (Maven)
What is BIT-spark-2022-33891 About?
This Apache Spark UI vulnerability allows impersonation and arbitrary shell command execution. When ACLs are enabled, a flaw in `HttpSecurityFilter` permits an attacker to impersonate any user by providing an arbitrary username, leading to remote code execution. The impact is severe, as an attacker can execute commands as the Spark user. Exploitation is highly probable and easy if ACLs are enabled.
Affected Software
- org.apache.spark:spark-parent_2.12
- >3.1.1, <3.2.2
- <=3.0.3
- pyspark
- >3.1.1, <3.2.2
- <3.1.1
- <=3.0.3
Technical Details
The vulnerability in Apache Spark UI (versions 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1) occurs when ACLs are enabled. The HttpSecurityFilter, intended for authentication, has a flaw that allows an attacker to perform impersonation. By providing an arbitrary user name (e.g., in a request header), the attacker can bypass proper authentication and assume the identity of that user. Subsequently, a code path in a permission check function is reached, which constructs a Unix shell command based on the attacker's input. Since the attacker controls the input and has successfully impersonated a user, this crafted command is executed with the privileges of the user that Spark is currently running as, resulting in arbitrary shell command execution.
What is the Impact of BIT-spark-2022-33891?
Successful exploitation may allow attackers to impersonate any user, execute arbitrary shell commands on the system running Spark, fully compromise the server, access sensitive data, or disrupt operations.
What is the Exploitability of BIT-spark-2022-33891?
Exploitation of this vulnerability requires access to the Spark UI when ACLs are enabled. The complexity is low, as it involves crafting a request with a manipulated username to trigger the impersonation and subsequent command execution. Authentication is typically required to access the Spark UI, but the vulnerability allows bypassing the intended authorization after initial authentication or in specific configurations lacking strong authentication for the UI. This is a remote vulnerability. No special privilege is needed beyond initial access to the Spark UI, as the impersonation grants effective privileges. The likelihood of exploitation is high if affected Apache Spark versions are running with ACLs enabled and are exposed to untrusted networks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| HuskyHacks | Link | Apache Spark Shell Command Injection Vulnerability |
| W01fh4cker | Link | cve-2022-33891-poc |
| AmoloHT | Link | 「💥」CVE-2022-33891 - Apache Spark Command Injection |
What are the Available Fixes for BIT-spark-2022-33891?
Available Upgrade Options
- pyspark
- <3.1.1 → Upgrade to 3.1.1
- pyspark
- >3.1.1, <3.2.2 → Upgrade to 3.2.2
- org.apache.spark:spark-parent_2.12
- >3.1.1, <3.2.2 → Upgrade to 3.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.openwall.com/lists/oss-security/2023/05/02/1
- https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
- https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
- http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
- https://github.com/apache/spark
- http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
- http://www.openwall.com/lists/oss-security/2023/05/02/1
- https://nvd.nist.gov/vuln/detail/CVE-2022-33891
- https://osv.dev/vulnerability/GHSA-4x9r-j582-cgr8
- https://github.com/advisories/GHSA-4x9r-j582-cgr8
What are Similar Vulnerabilities to BIT-spark-2022-33891?
Similar Vulnerabilities: CVE-2018-11776 , CVE-2019-0227 , CVE-2020-9489 , CVE-2021-33189 , CVE-2023-32009
