CVE-2018-17190 Information

Description

In all versions of Apache Spark its standalone resource manager accepts code to execute on a ‘master’ host that then runs that code on ‘worker’ hosts. The master itself does not by design execute user code. A specially-crafted request to the master can however cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker the execution of code on the master is nevertheless unexpected.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/105976 https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5@3Cdev.spark.apache.org3E https://security.gentoo.org/glsa/201903-21 https://www.oracle.com/security-alerts/cpujul2020.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8