1615652 – (CVE-2018-11770) CVE-2018-11770 spark: Missing authentication allows users to run driver programs via the REST API

Bug 1615652 (CVE-2018-11770) - CVE-2018-11770 spark: Missing authentication allows users to run driver programs via the REST API

Summary: CVE-2018-11770 spark: Missing authentication allows users to run driver progr...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-11770
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1615653
TreeView+	depends on / blocked

Reported:	2018-08-14 00:52 UTC by Sam Fowler
Modified:	2021-02-04 00:42 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:35:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-08-14 00:52:32 UTC

Apache Spark from version 1.3.0 onward exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property spark.authenticate.secret establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API.


External Reference:

https://spark.apache.org/security.html#CVE-2018-11770

Note You need to log in before you can comment on or make changes to this bug.