Service Notices
Apache Spark Remote Code Execution Vulnerability (CVE-2020-9480)
Jun 28, 2020 GMT+08:00
I. Overview
Apache Spark has recently released a security report, which disclosed a remote code execution vulnerability (CVE-2020-9480) in Apache Spark 2.4.5 and earlier versions. According to the security report, a standalone resource manager's master may be configured to require authentication via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine.
If you are an Apache Spark user, check your system and implement timely security hardening.
Reference link:
https://spark.apache.org/security.html
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected Versions:
Apache Spark 2.4.5 and earlier versions
Secure Versions:
Apache Spark 2.4.6 and 3.0.0
IV. Vulnerability Handling
This vulnerability has been fixed in the newly released versions. If your service version falls into the affected range, upgrade it to the latest secure version.
Download path: https://github.com/apache/spark/releases
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.