729222 – (CVE-2020-9480) <sys-cluster/spark-bin-2.4.6: Remote code execution vulnerability (CVE-2020-9480)

Bug 729222 (CVE-2020-9480) - <sys-cluster/spark-bin-2.4.6: Remote code execution vulnerability (CVE-2020-9480)

Summary: <sys-cluster/spark-bin-2.4.6: Remote code execution vulnerability (CVE-2020-9...

Status:	RESOLVED FIXED

Alias:	CVE-2020-9480

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://spark.apache.org/security.html
Whiteboard:	~1 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2020-06-23 01:58 UTC by John Helmert III
Modified:	2020-07-23 06:54 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/16383
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-06-23 01:58:05 UTC

Description:

In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine.

This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Comment 1 John Helmert III archtester

2020-06-23 01:59:05 UTC

Maintainers, please bump.

Comment 2 Larry the Git Cow gentoo-dev

2020-07-16 14:39:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=517a73e1a50509ad8f834400a45eb9a987fe35b9

commit 517a73e1a50509ad8f834400a45eb9a987fe35b9
Author:     Alec Ten Harmsel <alec@alectenharmsel.com>
AuthorDate: 2020-06-23 10:43:02 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-16 14:38:42 +0000

    sys-cluster/spark-bin: Remove 2.4.5
    
    Insecure (see CVE-2020-9480).
    
    Bug: https://bugs.gentoo.org/729222
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com>
    Closes: https://github.com/gentoo/gentoo/pull/16383
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-cluster/spark-bin/Manifest               |  1 -
 sys-cluster/spark-bin/spark-bin-2.4.5.ebuild | 61 ----------------------------
 2 files changed, 62 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c182e63b5cb2e159edd60c2ebaebfefe46504d9

commit 9c182e63b5cb2e159edd60c2ebaebfefe46504d9
Author:     Alec Ten Harmsel <alec@alectenharmsel.com>
AuthorDate: 2020-06-23 10:39:15 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-16 14:38:42 +0000

    sys-cluster/spark-bin: Bump to 2.4.6
    
    2.4.5 and earlier are insecure (see CVE-2020-9480).
    
    Bug: https://bugs.gentoo.org/729222
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-cluster/spark-bin/Manifest               |  1 +
 sys-cluster/spark-bin/spark-bin-2.4.6.ebuild | 61 ++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)

Comment 3 Sam James archtester

2020-07-16 15:51:58 UTC

Thanks. All done.

Comment 4 John Helmert III archtester

2020-07-23 06:54:30 UTC

All done, noglsa, closing.