https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/352725#M236584 <P><SPAN>Hello,<BR /></SPAN><SPAN>parameters you mentioned do not appear in Ambari.<BR />Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?<BR />Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).<BR /></SPAN><SPAN>Thanks in advance.<BR /></SPAN></P> Tue, 20 Sep 2022 12:51:26 GMT jeromedruais 2022-09-20T12:51:26Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/348570#M235396 <P>Hello, a new CVE appears on Apache Spark. Does it impact every versions of Spark ?</P><P><A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891</A></P><P>Thanks in advance for your help.</P> Fri, 22 Jul 2022 15:13:12 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/348570#M235396 jeromedruais 2022-07-22T15:13:12Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/348611#M235405 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/78359">@jeromedruais</a>, this is a snown security issue <EM>CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI&nbsp;</EM>reported in&nbsp;<A href="https://spark.apache.org/security.html" target="_blank" rel="noopener">https://spark.apache.org/security.html</A></P><P>For mitigation, update to Spark 3.1.3, 3.2.2, or 3.3.0 or later</P> Sat, 23 Jul 2022 13:56:18 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/348611#M235405 jagadeesan 2022-07-23T13:56:18Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/348790#M235449 <P>Thanks <a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/67146">@jagadeesan</a> for your answer.<BR />So, will you provide fixes for any HDP or CDP version to mitigate this issue ?</P><P>&nbsp;</P> Tue, 26 Jul 2022 08:13:44 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/348790#M235449 jeromedruais 2022-07-26T08:13:44Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/349116#M235530 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/78359">@jeromedruais</a>&nbsp; Cluster is affected by the CVE-2022-33891 if only when the GroupMappingServiceProvider is called, i.e., when spark.history.ui.acls.enable / spark.acls.enable is enabled. Please make sure you have not enabled any Spark ACLs in your cluster. To verify you can check parameter settings via Ambari or Cloudera Manager UI -&gt; spark configurations -&gt; search for parameter spark.history.ui.acls.enable / spark.acls.enable and check if the value is enabled or disabled. To&nbsp;<SPAN>mitigate this issue you can disable Spark ACLs.&nbsp;</SPAN></P> Sat, 30 Jul 2022 01:42:23 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/349116#M235530 jagadeesan 2022-07-30T01:42:23Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/349273#M235587 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/78359">@jeromedruais</a>&nbsp;Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks!</P> Mon, 01 Aug 2022 14:58:17 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/349273#M235587 DianaTorres 2022-08-01T14:58:17Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/351439#M236259 <P>Thanks for this answer I haven't seen before today.<BR />Does the community should provide a fix for Spark 2 versions ?</P> Fri, 02 Sep 2022 15:14:39 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/351439#M236259 jeromedruais 2022-09-02T15:14:39Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/352725#M236584 <P><SPAN>Hello,<BR /></SPAN><SPAN>parameters you mentioned do not appear in Ambari.<BR />Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?<BR />Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).<BR /></SPAN><SPAN>Thanks in advance.<BR /></SPAN></P> Tue, 20 Sep 2022 12:51:26 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/352725#M236584 jeromedruais 2022-09-20T12:51:26Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/353318#M236687 <P>Hello <a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/67146">@jagadeesan</a>&nbsp;, <a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/80393">@rki_</a>&nbsp;<BR />parameters you mentioned do not appear in Ambari.<BR />Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?<BR />Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).<BR />Thanks in advance.</P> Mon, 26 Sep 2022 13:57:08 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-33891/m-p/353318#M236687 jeromedruais 2022-09-26T13:57:08Z