资产安全
商业安全
安全服务
返回- 发布日期2020-06-23
- 感知时间2020-06-23
- 漏洞类型安全更新
- 风险等级高危
- 更新版本未知
- 情报贡献TSRC
CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master
<br/><br/>Severity: Important<br/><br/>Vendor: The Apache Software Foundation<br/><br/>Versions Affected:<br/><br/><br/> Apache Spark 2.4.5 and earlier<br/><br/><br/>Description:<br/><br/>In Apache Spark 2.4.5 and earlier, a standalone resource manager&#8217;s master may<br/>be configured to require authentication (spark.authenticate) via a<br/>shared secret. When enabled, however, a specially-crafted RPC to the<br/>master can succeed in starting an application&#8217;s resources on the Spark<br/>cluster, even without the shared key. This can be leveraged to execute<br/>shell commands on the host machine.<br/><br/>This does not affect Spark clusters using other resource managers<br/>(YARN, Mesos, etc).<br/><br/>Mitigation:<br/><br/><br/> Users should update to Spark 2.4.6 or 3.0.0.<br/> Where possible, network access to the cluster machines should be restricted to trusted hosts only.<br/><br/><br/>Credit:<br/><br/><br/> Ayoub Elaassal<br/><br/><br/>
Apache Spark 是专为大规模数据处理而设计的快速通用的计算引擎
<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9480">CVE-2020-9480</a></p>
暂无
暂无
https://spark.apache.org/security.html
微信扫码关注公众号
