First published: Wed Oct 24 2018(Updated: )
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Spark | >=1.3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-11804 is a vulnerability in Apache Spark's Maven-based build that allows external hosts to connect to a zinc server by default.
CVE-2018-11804 has a severity rating of 7.5 (high).
CVE-2018-11804 affects Apache Spark versions 1.3.x and above, including the master branch.
To fix CVE-2018-11804, update to a version of Apache Spark that includes the necessary security patches.
More information about CVE-2018-11804 can be found on the Apache Spark website.