Service Notices

All Notices > Security Notices > Apache Spark Shell Command Injection Vulnerability (CVE-2022-33891)

Apache Spark Shell Command Injection Vulnerability (CVE-2022-33891)

Jul 21, 2022 GMT+08:00

I. Overview

Recently, Apache Spark officially released a security notice, disclosing a command injection vulnerability (CVE-2022-33891) in specific Apache Spark versions. After ACLs are enabled in Apache Spark UI, attackers can exploit this vulnerability to impersonate any user to inject and execute arbitrary commands.

Apache Spark is an open-source big data processing framework. If you are an Apache Spark user, check your system and implement timely security hardening.

Reference: https://spark.apache.org/security.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Spark =< 3.0.3

Apache Spark 3.1.1 - 3.1.2

Apache Spark 3.2.0 - 3.2.1

Secure versions:

Apache Spark >= 3.3.0

Apache Spark >= 3.1.3

Apache Spark >= 3.2.2

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/apache/spark/tags

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.