First published: Mon Apr 17 2023(Updated: )
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Spark | <3.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-22946.
CVE-2023-22946 has a severity rating of 9.9 (critical).
The affected software includes Apache Spark versions prior to 3.4.0 and versions 3.3.3, specifically the `org.apache.spark:spark-core_2.13` package.
To fix CVE-2023-22946, update to Apache Spark version 3.4.0 or version 3.3.3.
You can find more information about CVE-2023-22946 on the NIST National Vulnerability Database (NVD) website.