Select Page

Breaking the Mold Halting a Hacker’s Code ep. 5 –Apache Spark Shell Command Injection Vulnerability

Introduction

Apache Spark is a distributed open-source system for large-scale data processing and fast general-purpose calculation. It also supports a wide range of advanced tools, including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing. Its powerful features combined with free access make it widely used worldwide. As a result, the shell command injection vulnerability has a broad impact.

Vulnerability

The shell command injection vulnerability revolves around manipulating application ACLs, which allows users/groups – excluding the owner who starts the application – access to an application. The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. If ACLs are enabled, Apache spark will go through the HttpSecurityFilter filter to verify the user’s permissions. In the code of HttpSecurityFilter, the username can be entered arbitrarily and the fields will be concatenated later. Therefore, a malicious user might then be able to inject a piece of shell command by separating the characters of the command to several username fields. Then after the fields are concatenated into a piece of the shell command the executeAndGetOutput function will cause the command to execute.

Affected Version

Spark Core – Apache<=3.0.3

3.1.1 <= Spark Core – Apache <=3.1.2

3.2.0 <= Spark Core – Apache <=3.2.1

Remediation

1. Official fix: The vendor has released the patches, and we recommend that users update Apache Spark to 3.1.3, 3.2.2, 3.3.0, or a higher version. Please visit:

https://spark.apache.org/downloads.html

2. Reference methods on GitHub: We can fix the vulnerability by removing the call to bash in the ShellBasedGroupsMappingProvider function. Please visit:

https://github.com/apache/spark/pull/36315/files

Implementing the Fix

The Hillstone IPS can support the detection and protection of this vulnerability.

Figure 1. Apache Spark Shell Command Injection Vulnerability detected by Hillstone IPS

The hotspot intelligence of this vulnerability is available on Hillstone iSource as well.

Figure 2. Hotspot intelligence on Hillstone iSource

Hillstone Security Management V5.3.5 A Super Helper in Your Network
March 21, 2023 | Ferry Wang
A unified platform that offers a holistic approach to managing and securing networks – is exactly what organizations are seeking. We are pleased to announce that the Hillstone...

Breaking the Mold: Halting a Hacker’s Code ep. 11 – Kafka Connect JNDI Injection
March 16, 2023 | Ferry Wang
Introduction As a distributed open-source messaging system, Apache Kafka provides high throughput and low latency processing for various types of data. It is widely used in log...

Treasury Report Calls Out Cybersecurity in the Financial Sector
March 14, 2023 | Hillstone Marketing
Retail and commercial financial services moving to the cloud is generally considered a good thing. The cloud offers benefits that financial services providers cannot access in...

Hillstone Networks Added as CVE Numbering Authority (CNA)
March 1, 2023 | Zeyao Hu
Hillstone Networks, a leading provider of innovative and accessible cybersecurity solutions, has been added as a Common Vulnerabilities and Exposures (CVE) Numbering Authority...

Hillstone Security Audit V2.19.0: Reigning in Network Complexity with Advanced Log Records
February 26, 2023 | Ferry Wang
The importance of logs that record events of all types in a complex network cannot be overstated, especially for detecting and tracking threats. We are pleased to announce that...

Empowering Cyber Security and Resiliency with Hillstone Networks StoneOS 5.5R10
February 19, 2023 | Junyi Duanmu
In a post-pandemic world with a distributed workforce, the traditional, edge-based security model must be modified, so as to reinforce the defenses against the expanded...

Breaking the Mold: Halting a Hacker’s Code ep. 10 – Massive ESXiArgs Ransomware Attacks
February 19, 2023 | Junyi Duanmu
Introduction VMware ESXi is a popular virtualization hypervisor worldwide. Recently, ESXi servers that are unpatched against a two-year-old remote code execution vulnerability...

Breaking the Mold: Halting a Hacker’s Code ep. 9 – XStream Stack Overflow Denial of Service Vulnerability
February 8, 2023 | Junyi Duanmu
Introduction XStream is a Java-based library for serializing Java objects to XML and back again. Recently, the highly severe XStream stack overflow denial of service...

XDR: A Step Towards Integrated Security for Cyber Defense
December 20, 2022 | David Yu
2022: A Year in Review 2022 has truly been a year of turbulence and misfortune. Covid-19 pandemic continued to rage around much of the world, causing more illnesses, deaths, and...