Introduction: Apache Spark, a powerful open-source unified analytics engine for big data processing, has recently been reported to have a critical security vulnerability (CVE-2023-32007) in its User Interface (UI) in unsupported versions. This vulnerability can potentially allow malicious users to perform impersonation attacks and execute arbitrary shell commands as the user Spark is currently running as. This issue was previously disclosed in CVE-2022-33891 but was incorrectly considered to not affect version 3.1.3, which has gone End-Of-Life (EOL) since then.

In this post, we will be discussing the details of this vulnerability, analyze the code snippet that exposes the issue and provide guidance on mitigation.

Source code snippet that gives rise to the vulnerability

if (aclsEnabled) {
  HttpRequestWrapper requestWrapper = ...
  AuthenticateResponse authn = ...
  ....
  String userName = authn.getUserName();
  checkPermission(SecurityManager.getAppKey(appId), userName);
  ....
}

Exploit details

The Apache Spark UI provides the option to enable Access Control Lists (ACLs) via the configuration option spark.acls.enable. This serves to check if a user has the necessary permissions to view or modify an application when used with an authentication filter. However, if ACLs are enabled, a code path in the HttpSecurityFilter class can allow for impersonation by providing an arbitrary user name. If a malicious user can provide an arbitrary user name, they will be able to perform actions they are not authorized for, which may potentially lead to reaching the permission check function that builds and executes a Unix shell command based on their input.

This results in the possibility of arbitrary shell command execution as the user Spark is currently running as, causing unauthorized access to data or the ability to tamper with the application in question.

Mitigation

As this vulnerability affects products that are no longer supported by the maintainer, users are advised to upgrade to a supported version of Apache Spark. At the time of writing this post, the latest stable version is 3.4., which addresses this vulnerability. To upgrade Apache Spark, you can download the latest version from the official Apache Spark website: Apache Spark Downloads

Summary and Recommendations

In conclusion, the Apache Spark UI ACLs bypass and command injection vulnerability (CVE-2023-32007) is a critical security issue in unsupported versions of Apache Spark but can be mitigated by upgrading to supported versions, including the latest 3.4. release. Users are highly encouraged to upgrade as soon as possible to protect their systems from potential attacks.

*Upgrade to a supported version of Apache Spark:*
- Apache Spark Downloads

*Refer to the official announcement and documentation for more information:*
- CVE-2023-32007 – Apache Spark Official Announcement
- Apache Spark Security Documentation

Timeline

Published on: 05/02/2023 09:15:00 UTC
Last modified on: 05/10/2023 20:16:00 UTC