Apache Spark CI Vulnerability



  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Apache Spark is a unified analytics engine for large-scale data processing. It provides high-level APIs in Java, Scala, Python and R, and an optimized engine that supports general execution graphs. It also supports a rich set of higher-level tools including Spark SQL for SQL and structured data processing, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for incremental computation and stream processing.

  A command execution vulnerability has been reported in Apache Spark. The vulnerability is due to errors in parsing user requests when access control list (ACL) is enabled. Successful exploitation of this vulnerability can result in the execution of arbitrary commands.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-33891.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is due to insufficient sanitation of the “doAs” parameter when processing incoming requests to the web UI. When a request is made to the web interface of an Apache Spark component, the function doFilter() is called to check if the user is authorized to view the web UI. The function will check if the “doAs” parameter is set and if the user is authorized to impersonate another user. If both conditions are met, the function checkUIViewPermissions() is called, this function will in turn call isUserInACL(). The parameters “doAs”, “viewAcls” and “viewAclsGroups” contain usernames and groups of users allowed to access the resources as defined in the Spark configuration.

  The getCurrentUserGroups() function will build a bash command line to call the id command to get the user’s groups and then pass it to executeAndGetOutput() to execute it. However, the username from the “doAs” parameter is not sanitized before it is added to the command line allowing an attacker to inject their own malicious commands.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a request containing a crafted “doAs” parameter to the web UI of any vulnerable component. Successful exploitation can result in arbitrary OS command injection under the security context of the user running the Spark component.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The target system must be running the web UI for one of the vulnerable components.
  • The web interface must be configured to use the ACL.
  • If the history server UI is targeted, the server must have data for at least one app ID.
  • “spark.ui.view.acls” and “spark.ui.view.acls.groups” in the configuration must not contain the wildcard value “*”.

Triggering Conditions:

  The attacker sends a request with a crafted “doAs” parameter to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS


SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:3083 Apache Spark UI Remote Command Execution 2

  • IPS:3084 Apache Spark UI Remote Command Execution 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Detecting and filtering malicious traffic using the signatures above.
    • Updating to a non-vulnerable version of the product.
    • Disabling ACLs for the web UI for any component if it is not in use.
    • Disabling the web UI for any component if it is not in use.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.