Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-11770

Опубликовано: 14 авг. 2018
Источник: redhat
CVSS3: 6.5
EPSS Высокий

Описание

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Fuse 7sparkNot affected
Red Hat JBoss Fuse 6sparkNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-306
https://bugzilla.redhat.com/show_bug.cgi?id=1615652spark: Missing authentication allows users to run driver programs via the REST API

EPSS

Процентиль: 99%
0.87702
Высокий

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2018-11770

CVSS3: 4.2
nvd
больше 7 лет назад

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.re

debian логотип

CVE-2018-11770

CVSS3: 4.2
debian
больше 7 лет назад

From version 1.3.0 onward, Apache Spark's standalone master exposes a ...

github логотип

GHSA-w4r4-65mg-45x2

CVSS3: 4.2
github
около 7 лет назад

org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11 Improper Authentication vulnerability

EPSS

Процентиль: 99%
0.87702
Высокий

6.5 Medium

CVSS3