Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 729222 (CVE-2020-9480)

Summary: <sys-cluster/spark-bin-2.4.6: Remote code execution vulnerability (CVE-2020-9480)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: alec, java, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://spark.apache.org/security.html
See Also: https://github.com/gentoo/gentoo/pull/16383
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-23 01:58:05 UTC 
Description:

In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine.

This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-23 01:59:05 UTC 
Maintainers, please bump.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-16 14:39:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=517a73e1a50509ad8f834400a45eb9a987fe35b9

commit 517a73e1a50509ad8f834400a45eb9a987fe35b9
Author:     Alec Ten Harmsel <alec@alectenharmsel.com>
AuthorDate: 2020-06-23 10:43:02 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-16 14:38:42 +0000

    sys-cluster/spark-bin: Remove 2.4.5
    
    Insecure (see CVE-2020-9480).
    
    Bug: https://bugs.gentoo.org/729222
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com>
    Closes: https://github.com/gentoo/gentoo/pull/16383
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-cluster/spark-bin/Manifest               |  1 -
 sys-cluster/spark-bin/spark-bin-2.4.5.ebuild | 61 ----------------------------
 2 files changed, 62 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c182e63b5cb2e159edd60c2ebaebfefe46504d9

commit 9c182e63b5cb2e159edd60c2ebaebfefe46504d9
Author:     Alec Ten Harmsel <alec@alectenharmsel.com>
AuthorDate: 2020-06-23 10:39:15 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-16 14:38:42 +0000

    sys-cluster/spark-bin: Bump to 2.4.6
    
    2.4.5 and earlier are insecure (see CVE-2020-9480).
    
    Bug: https://bugs.gentoo.org/729222
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-cluster/spark-bin/Manifest               |  1 +
 sys-cluster/spark-bin/spark-bin-2.4.6.ebuild | 61 ++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-16 15:51:58 UTC 
Thanks. All done.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-23 06:54:30 UTC 
All done, noglsa, closing.