Bug 1887887 (CVE-2020-9480)

Summary: CVE-2020-9480 apache-spark: RCE vulnerability in auth-enabled standalone master
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, bibryam, chazlett, drieden, ganandan, ggaughan, gmalinko, hbraun, janstey, jochrist, jwon, pantinor, pjindal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-14 02:21:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1886186    

Description Guilherme de Almeida Suckevicz 2020-10-13 14:13:22 UTC 
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Reference:
https://spark.apache.org/security.html#CVE-2020-9480

Upstream patch:
https://github.com/apache/spark/commit/61b7d446b37cecc45e6d274bbfdde3b745bf068f
Comment 1 Product Security DevOps Team 2020-10-14 02:21:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9480