Sep 6, 2022

Breaking the Mold Halting a Hacker’s Code ep. 5 –Apache Spark Shell Command Injection Vulnerability

Threat Research

Introduction

Apache Spark is a distributed open-source system for large-scale data processing and fast general-purpose calculation. It also supports a wide range of advanced tools, including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing. Its powerful features combined with free access make it widely used worldwide. As a result, the shell command injection vulnerability has a broad impact.

Vulnerability

The shell command injection vulnerability revolves around manipulating application ACLs, which allows users/groups – excluding the owner who starts the application – access to an application. The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. If ACLs are enabled, Apache spark will go through the HttpSecurityFilter filter to verify the user’s permissions. In the code of HttpSecurityFilter, the username can be entered arbitrarily and the fields will be concatenated later. Therefore, a malicious user might then be able to inject a piece of shell command by separating the characters of the command to several username fields. Then after the fields are concatenated into a piece of the shell command the executeAndGetOutput function will cause the command to execute.

Affected Version

Spark Core – Apache<=3.0.3

3.1.1 <= Spark Core – Apache <=3.1.2

3.2.0 <= Spark Core – Apache <=3.2.1

Remediation

1. Official fix: The vendor has released the patches, and we recommend that users update Apache Spark to 3.1.3, 3.2.2, 3.3.0, or a higher version. Please visit:

https://spark.apache.org/downloads.html

2. Reference methods on GitHub: We can fix the vulnerability by removing the call to bash in the ShellBasedGroupsMappingProvider function. Please visit:

https://github.com/apache/spark/pull/36315/files

Implementing the Fix

The Hillstone IPS can support the detection and protection of this vulnerability.

Figure 1. Apache Spark Shell Command Injection Vulnerability detected by Hillstone IPS

The hotspot intelligence of this vulnerability is available on Hillstone iSource as well.

Figure 2. Hotspot intelligence on Hillstone iSource

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Breaking the Mold Halting a Hacker’s Code ep. 5 –Apache Spark Shell Command Injection Vulnerability

Introduction

Vulnerability

Affected Version

Remediation

Implementing the Fix

Related Articles

Breaking the Mold: Halting a Hacker’s Code ep. 17 – Apache RocketMQ 5.1.0 Remote Code Execution Vulnerability

Breaking the Mold: Halting a Hacker’s Code ep. 16 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

Breaking the Mold: Halting a Hacker’s Code ep. 15 – Weaver E-cology9 ofsLogin.jsp Arbitrary User Login