=====================================================================

                                 CERT-Renater

                      Note d'Information No. 2023/VULN165

_____________________________________________________________________

DATE                : 17/04/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Spark versions prior
                                       to 3.4.0.

=====================================================================
https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv
_____________________________________________________________________

CVE-2023-22946: Apache Spark proxy-user privilege escalation from
malicious configuration class


Description:

In Apache Spark versions prior to 3.4.0, applications using
spark-submit can specify a 'proxy-user' to run as, limiting privileges.
The application can execute code with the privileges of the submitting
user, however, by providing malicious configuration-related classes
on the classpath. This affects architectures relying on proxy-user,
for example those using Apache Livy to manage submitted applications.

This issue is being tracked as SPARK-41958

Work Arounds:

Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.


Credit:

Hideyuki Furue (finder)
Yi Wu (Databricks) (remediation developer)


References:

https://spark.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-22946
https://issues.apache.org/jira/browse/SPARK-41958

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================