{eval=Array;=+count(Array);}

成人国产在线小视频_日韩寡妇人妻调教在线播放_色成人www永久在线观看_2018国产精品久久_亚洲欧美高清在线30p_亚洲少妇综合一区_黄色在线播放国产_亚洲另类技巧小说校园_国产主播xx日韩_a级毛片在线免费

問(wèn)答專(zhuān)欄Q & A COLUMN

spark高危漏洞怎么處理?CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI

12759945221275994522 回答1 收藏3
問(wèn)題描述:

CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

  • 3.0.3 and earlier
  • 3.1.1 to 3.1.2
  • 3.2.0 to 3.2.1

Description:

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as.

Mitigation

  • Update to Spark 3.1.3, 3.2.2, or 3.3.0 or later

Credit:

  • Kostya Torchinsky (Databricks)

官方鏈接:https://spark.apache.org/security.html


收藏問(wèn)題
溫馨提示
該問(wèn)題目前已經(jīng)被作者或者管理員關(guān)閉, 無(wú)法添加新回復(fù)

1條回答

3443073884

3443073884

回答于2022-08-10 13:02

升級(jí)就好了呀


評(píng)論0 贊同0
  •  加載中...

最新活動(dòng)

您已邀請(qǐng)0人回答 查看邀請(qǐng)

我的邀請(qǐng)列表

  • 擅長(zhǎng)該話(huà)題
  • 回答過(guò)該話(huà)題
  • 我關(guān)注的人
向幫助了您的網(wǎng)友說(shuō)句感謝的話(huà)吧!
付費(fèi)偷看金額在0.1-10元之間
<