I. Overview

Apache Spark has recently released a security report, which disclosed a remote code execution vulnerability (CVE-2020-9480) in Apache Spark 2.4.5 and earlier versions. According to the security report, a standalone resource manager's master may be configured to require authentication via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine.

If you are an Apache Spark user, check your system and implement timely security hardening.

Reference link:                                

https://spark.apache.org/security.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

Apache Spark 2.4.5 and earlier versions

Secure Versions:

Apache Spark 2.4.6 and 3.0.0

IV. Vulnerability Handling

This vulnerability has been fixed in the newly released versions. If your service version falls into the affected range, upgrade it to the latest secure version.

Download path: https://github.com/apache/spark/releases

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.