Skip to main content
Close
Hitachi Vantara Knowledge

Unsecured Apache Stark Standalone Executes User Code

  1. Last updated
  2. Save as PDF

Priority:  ● Critical

Status: In Progress- Undergoing Analysis

 

First Published: August 29, 2023

Advisory Version: 1.0

References:  CVE-2018-17190

Summary

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too.

Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.

Affected Products

Vulnerable Products

 

The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by either of these vulnerabilities. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.

Product Fixed Release Version
Content Products
Content Intelligence HCI is susceptible to this CVE, since there is no version of Apache Spark with a “fix”.  However, there is an easy way to mitigate the effects of this vulnerability.  According to https://spark.apache.org/security.html, enabling authentication on the cluster and securing the cluster using other network-level restrictions (blocking spark ports) can mitigate the vulnerability.  Hitachi Vantara recommends blocking all network ports to an HCI cluster except for ports 8000, 8888, and 6192.  In addition, HCI can (and should) be set up with an internal network to keep internal cluster communication private.  These recommendations, plus use of passwords to restrict access to the cluster, should mitigate this vulnerability

 

Products Confirmed Not Vulnerable

At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability.

Recommended Actions

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    CVE
    Page Type
    Knowledge Article
  2. Tags
    1. CVE