Apache Spark CI Vulnerability
SonicWall Capture Labs Threat Research Team has observed the following threat:
Apache Spark is a unified analytics engine for large-scale data processing. It provides high-level APIs in Java, Scala, Python and R, and an optimized engine that supports general execution graphs. It also supports a rich set of higher-level tools including Spark SQL for SQL and structured data processing, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for incremental computation and stream processing.
A command execution vulnerability has been reported in Apache Spark. The vulnerability is due to errors in parsing user requests when access control list (ACL) is enabled. Successful exploitation of this vulnerability can result in the execution of arbitrary commands.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-33891.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
The vulnerability is due to insufficient sanitation of the "doAs" parameter when processing incoming requests to the web UI. When a request is made to the web interface of an Apache Spark component, the function doFilter() is called to check if the user is authorized to view the web UI. The function will check if the "doAs" parameter is set and if the user is authorized to impersonate another user. If both conditions are met, the function checkUIViewPermissions() is called, this function will in turn call isUserInACL(). The parameters "doAs", "viewAcls" and "viewAclsGroups" contain usernames and groups of users allowed to access the resources as defined in the Spark configuration.
The getCurrentUserGroups() function will build a bash command line to call the id command to get the user's groups and then pass it to executeAndGetOutput() to execute it. However, the username from the "doAs" parameter is not sanitized before it is added to the command line allowing an attacker to inject their own malicious commands.
A remote, unauthenticated attacker can exploit this vulnerability by sending a request containing a crafted "doAs" parameter to the web UI of any vulnerable component. Successful exploitation can result in arbitrary OS command injection under the security context of the user running the Spark component.
Triggering the Problem:
• The target system must have the vulnerable product installed and running.
• The target system must be running the web UI for one of the vulnerable components.
• The web interface must be configured to use the ACL.
• If the history server UI is targeted, the server must have data for at least one app ID.
• "spark.ui.view.acls" and "spark.ui.view.acls.groups" in the configuration must not contain the wildcard value "*".
The attacker sends a request with a crafted "doAs" parameter to the target server. The vulnerability is triggered when the server processes the request.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall's, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS:3083 Apache Spark UI Remote Command Execution 2
• IPS:3084 Apache Spark UI Remote Command Execution 3
The risks posed by this vulnerability can be mitigated or eliminated by:
• Detecting and filtering malicious traffic using the signatures above.
• Updating to a non-vulnerable version of the product.
• Disabling ACLs for the web UI for any component if it is not in use.
• Disabling the web UI for any component if it is not in use.
The vendor has released the following advisory regarding this vulnerability: