Apache Spark proxy-user privilege escalation from malicious configuration class
Description
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-core_2.12Maven | < 3.3.3 | 3.3.3 |
org.apache.spark:spark-core_2.13Maven | < 3.3.3 | 3.3.3 |
pysparkPyPI | < 3.3.2 | 3.3.2 |
Affected products
5- osv-coords4 versionspkg:bitnami/sparkpkg:maven/org.apache.spark/spark-core_2.12pkg:maven/org.apache.spark/spark-core_2.13pkg:pypi/pyspark
< 3.4.0+ 3 more
- (no CPE)range: < 3.4.0
- (no CPE)range: < 3.3.3
- (no CPE)range: < 3.3.3
- (no CPE)range: < 3.3.2
- Apache Software Foundation/Apache Sparkv5Range: 0
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-329j-jfvr-rhr6ghsaADVISORY
- lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gvghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-22946ghsaADVISORY
- github.com/apache/spark/commit/909da96e1471886a01a9e1def93630c4fd40e74aghsaWEB
- github.com/apache/spark/pull/39474ghsaWEB
- github.com/apache/spark/pull/41428ghsaWEB
- github.com/degant/spark/commit/bfba57724d2520e0fcaa7990f7257c21d11cd75aghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-44.yamlghsaWEB
- issues.apache.org/jira/browse/SPARK-41958ghsaWEB
News mentions
0No linked articles in our index yet.