Flaw in Apache Spark framework allows attackers to remote code execution in server


Attackers can infect servers using this RCE vulnerability in Apache Spark Framework

Apache Spark is an open-source distributed general-purpose cluster-computing framework. Spark provides an interface for programming entire clusters with implicit data parallelism and fault tolerance. Researchers from Perimeter security said that the Apache developers have officially released a remote code execution risk alert that affects their software. The vulnerability was tracked as CVE-2020-9480 and has a High CVSS score.

According to Perimeter security experts, The firmware version Apache Spark 2.4.5 and earlier, the stand-alone resource manager principal server can be configured to require authentication through a shared key (spark.authenticate). Because of some spark authentication mechanism flaws, shared key authentication fails. Threat actors might abuse this vulnerability for command execution on the host without administrator authorization, which would result in remote code execution.

Spark currently supports authentication for RPC channels using a shared secret. Authentication can be turned on by setting the spark. authenticate configuration parameter. The exact mechanism used to generate and distribute the shared secret is deployment-specific. Unless specified below, the secret must be defined by setting the spark.authenticate.secret config option. The same secret is shared by all Spark applications and daemons in that case, which limits the security of these deployments, especially on multi-tenant clusters.

In Apache Spark 2.4.5 and earlier, a stand-alone resource manager master can be configured to require authentication (spark.authenticate) through a shared secret. However, when enabled, an RPC specially designed for the master can succeed when starting an application’s resources in the Spark cluster, even without the shared key. This can be exploited to take advantage of shell commands on the host machine

Apache devs alert

Spark supports AES-based encryption for RPC connections. For encryption to be enabled, RPC authentication must also be enabled and properly configured. AES encryption uses the Apache Commons Crypto library, and Spark’s configuration system allows access to that library’s configuration for advanced users.

The Perimeter security experts said the vulnerability resides in all versions of Apache Stark after 4.2.5, and Apache devs have patched the vulnerabilities and released the update for which the Apache Spark users should only upgrade to version 2.4.6, or to 3.0.0. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments