Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 729222 (CVE-2020-9480) - <sys-cluster/spark-bin-2.4.6: Remote code execution vulnerability (CVE-2020-9480)
Summary: <sys-cluster/spark-bin-2.4.6: Remote code execution vulnerability (CVE-2020-9...
Status: RESOLVED FIXED
Alias: CVE-2020-9480
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://spark.apache.org/security.html
Whiteboard: ~1 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-06-23 01:58 UTC by John Helmert III (ajak)
Modified: 2020-07-23 06:54 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-06-23 01:58:05 UTC
Description:

In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine.

This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
Comment 1 John Helmert III (ajak) 2020-06-23 01:59:05 UTC
Maintainers, please bump.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-16 14:39:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=517a73e1a50509ad8f834400a45eb9a987fe35b9

commit 517a73e1a50509ad8f834400a45eb9a987fe35b9
Author:     Alec Ten Harmsel <alec@alectenharmsel.com>
AuthorDate: 2020-06-23 10:43:02 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-16 14:38:42 +0000

    sys-cluster/spark-bin: Remove 2.4.5
    
    Insecure (see CVE-2020-9480).
    
    Bug: https://bugs.gentoo.org/729222
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com>
    Closes: https://github.com/gentoo/gentoo/pull/16383
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-cluster/spark-bin/Manifest               |  1 -
 sys-cluster/spark-bin/spark-bin-2.4.5.ebuild | 61 ----------------------------
 2 files changed, 62 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c182e63b5cb2e159edd60c2ebaebfefe46504d9

commit 9c182e63b5cb2e159edd60c2ebaebfefe46504d9
Author:     Alec Ten Harmsel <alec@alectenharmsel.com>
AuthorDate: 2020-06-23 10:39:15 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-16 14:38:42 +0000

    sys-cluster/spark-bin: Bump to 2.4.6
    
    2.4.5 and earlier are insecure (see CVE-2020-9480).
    
    Bug: https://bugs.gentoo.org/729222
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-cluster/spark-bin/Manifest               |  1 +
 sys-cluster/spark-bin/spark-bin-2.4.6.ebuild | 61 ++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-07-16 15:51:58 UTC
Thanks. All done.
Comment 4 John Helmert III (ajak) 2020-07-23 06:54:30 UTC
All done, noglsa, closing.