First published: Thu Jul 12 2018(Updated: )
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Spark | <=2.1.2 | |
Apache Spark | >=2.2.0<=2.2.1 | |
Apache Spark | =2.3.0 | |
pip/pyspark | >=0<2.1.3 | 2.1.3 |
pip/pyspark | >=2.2.0<2.2.2 | 2.2.2 |
maven/org.apache.spark:spark-core_2.11 | =2.3.0 | 2.3.1 |
maven/org.apache.spark:spark-core_2.11 | >=2.2.0<2.2.2 | 2.2.2 |
maven/org.apache.spark:spark-core_2.11 | >=1.0.0<2.1.3 | 2.1.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-1334 has been classified as a moderate severity vulnerability.
To fix CVE-2018-1334, upgrade Apache Spark to versions 2.1.3, 2.2.2, or 2.3.1 depending on your current version.
CVE-2018-1334 affects Apache Spark versions from 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and also 2.3.0.
CVE-2018-1334 allows a local user to connect and impersonate the user running the Spark application.
CVE-2018-1334 is specifically noted for vulnerabilities when using PySpark or SparkR.