In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv | Mailing List Vendor Advisory |
Configurations
History
26 Apr 2023, 23:00
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv - Mailing List, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.9 |
CPE | cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* |
17 Apr 2023, 13:12
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-17 08:15
Updated : 2024-02-04 23:37
NVD link : CVE-2023-22946
Mitre link : CVE-2023-22946
CVE.ORG link : CVE-2023-22946
JSON object : View
Products Affected
apache
- spark
CWE
CWE-269
Improper Privilege Management