[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2018-11760: Apache Spark local privilege escalation vulnerability
From:       Imran Rashid <irashid () apache ! org>
Date:       2019-01-28 20:23:07
Message-ID: CAN_Cyt8SiMcy_JXH=VMGePOFZpu_-9bTWYjMUPSwGW3myy0xCQ () mail ! gmail ! com
[Download RAW message or body]


Severity: Important

Vendor: The Apache Software Foundation

Versions affected:
All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions
Spark 2.2.0 to 2.2.2
Spark 2.3.0 to 2.3.1

Description:
When using PySpark , it's possible for a different local user to connect to
the Spark application and impersonate the user running the Spark
application.  This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and
2.3.0 to 2.3.1.

Mitigation:
1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer
2.3.x users should upgrade to 2.3.2 or newer
Otherwise, affected users should avoid using PySpark in multi-user
environments.

Credit:
This issue was reported by Luca Canali and Jose Carlos Luna Duran from CERN.

References:
https://spark.apache.org/security.html


[prev in list] [next in list] [prev in thread] [next in thread]