BIT-spark-2023-22946
Privilege Escalation vulnerability in pyspark (PyPI)
What is BIT-spark-2023-22946 About?
This Privilege Escalation vulnerability in Apache Spark allows applications using `spark-submit` with a 'proxy-user' to execute code with the submitting user's privileges. This occurs by providing malicious configuration-related classes on the classpath, bypassing the intended privilege limitation. It is moderately complex to exploit, as it requires knowledge of Spark's submission and classpath mechanisms.
Affected Software
- pyspark
- <3.4.0
- <3.3.2
- org.apache.spark:spark-core_2.12
- <3.3.3
- org.apache.spark:spark-core_2.13
- <3.3.3
Technical Details
The vulnerability affects Apache Spark versions prior to 3.4.0, specifically impacting applications submitted via spark-submit that utilize the 'proxy-user' feature. While 'proxy-user' is intended to limit privileges, an attacker can bypass this by supplying malicious configuration-related classes on the classpath during application submission. These malicious classes are then loaded and executed with the higher privileges of the submitting user, rather than the intended restricted privileges of the 'proxy-user'. This mechanism allows for privilege escalation, as the malicious code can then perform actions beyond the scope intended for the 'proxy-user'. This is particularly relevant in architectures like Apache Livy which rely on proxy-user for privilege separation.
What is the Impact of BIT-spark-2023-22946?
Successful exploitation may allow attackers to execute code with elevated privileges, potentially leading to unauthorized access to data, modification of system configurations, or complete system compromise.
What is the Exploitability of BIT-spark-2023-22946?
Exploitation of this Privilege Escalation vulnerability requires the ability to submit applications to Apache Spark using spark-submit, likely requiring authenticated access to the Spark cluster or gateway. The complexity is moderate, as it involves crafting malicious classes and understanding how to inject them into the classpath during submission. This is typically a local attack in the context of the Spark cluster, where an authenticated user with limited privileges can escalate them. The likelihood of exploitation is increased if users have the ability to submit arbitrary applications to Spark, especially if the spark.submit.proxyUser.allowCustomClasspathInClusterMode setting is not explicitly set to 'false' or can be overridden by submitted applications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-spark-2023-22946?
Available Upgrade Options
- pyspark
- <3.3.2 → Upgrade to 3.3.2
- pyspark
- <3.4.0 → Upgrade to 3.4.0
- org.apache.spark:spark-core_2.12
- <3.3.3 → Upgrade to 3.3.3
- org.apache.spark:spark-core_2.13
- <3.3.3 → Upgrade to 3.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-44.yaml
- https://issues.apache.org/jira/browse/SPARK-41958
- https://github.com/apache/spark/pull/41428
- https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv
- https://github.com/degant/spark/commit/bfba57724d2520e0fcaa7990f7257c21d11cd75a
- https://osv.dev/vulnerability/PYSEC-2023-44
- https://nvd.nist.gov/vuln/detail/CVE-2023-22946
- https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv
- https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv
- https://github.com/apache/spark/commit/909da96e1471886a01a9e1def93630c4fd40e74a
What are Similar Vulnerabilities to BIT-spark-2023-22946?
Similar Vulnerabilities: CVE-2020-13933 , CVE-2019-12401 , CVE-2018-11770 , CVE-2018-8025 , CVE-2017-12622
