Support Questions

Find answers, ask questions, and share your expertise

Are there any effects of Spark2 by CVE-2022-33891?

New Contributor

I'm checking whether there are any effects to spark2 by CVE-2022-33891 or not.

Is there anyone who can explanin it to me?

1 ACCEPTED SOLUTION

Expert Contributor

Hi @JiHoone 

 

Spark security vulnerability CVE-2022-33891 affects Spark 2 and Spark 3 versions but not 3.1.3, 3.0.4, 3.3.0, 3.2.2 versions". The CVE is only affected if you have enabled ACLs on the SHS UI. By default, ACLs are disabled. If ACLs are enabled, then specified users and groups have access, and group membership is checked using ShellBasedGroupsMappingProvider (which is the class with the vulnerability).

 

Cluster is affected by the CVE only when the GroupMappingServiceProvider is called - which means when spark.history.ui.acls.enable or spark.acls.enable is enabled.

View solution in original post

4 REPLIES 4

Expert Contributor

Hi @JiHoone 

 

Spark security vulnerability CVE-2022-33891 affects Spark 2 and Spark 3 versions but not 3.1.3, 3.0.4, 3.3.0, 3.2.2 versions". The CVE is only affected if you have enabled ACLs on the SHS UI. By default, ACLs are disabled. If ACLs are enabled, then specified users and groups have access, and group membership is checked using ShellBasedGroupsMappingProvider (which is the class with the vulnerability).

 

Cluster is affected by the CVE only when the GroupMappingServiceProvider is called - which means when spark.history.ui.acls.enable or spark.acls.enable is enabled.

Hello @rki_ , how could we saw or configure it to disable acls ?
Thanks for your answer.

Expert Contributor

Hi, Inside Spark, you can check for spark.history.ui.acls.enable and spark.acls.enable. These should be false by default.

 

https://spark.apache.org/docs/2.4.3/security.html#authentication-and-authorization

Hi @rki_ , unfortunately, on my kerberos cluster (HDP 2.6.5), I can't find it in Spark from Ambari.
Do I need to activate them specifically  into custom Spark configs even it's disabled (false) by default ?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.