Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

CVE-2022-33891

Labels:
avatar
author-rank jeromedruais
Explorer

Created ‎07-22-2022 08:13 AM

Hello, a new CVE appears on Apache Spark. Does it impact every versions of Spark ?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891

Thanks in advance for your help.

15,936 Views
0 Kudos
7 REPLIES 7

avatar
author-rank jagadeesan author-rank
Master Collaborator

Created ‎07-23-2022 06:56 AM

Hi @jeromedruais, this is a snown security issue CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI reported in https://spark.apache.org/security.html

For mitigation, update to Spark 3.1.3, 3.2.2, or 3.3.0 or later

15,909 Views
0 Kudos

avatar
author-rank jeromedruais
Explorer

Created ‎07-26-2022 01:13 AM

Thanks @jagadeesan for your answer.
So, will you provide fixes for any HDP or CDP version to mitigate this issue ?

 

15,877 Views
0 Kudos

avatar
author-rank jagadeesan author-rank
Master Collaborator

Created ‎07-29-2022 06:42 PM

@jeromedruais  Cluster is affected by the CVE-2022-33891 if only when the GroupMappingServiceProvider is called, i.e., when spark.history.ui.acls.enable / spark.acls.enable is enabled. Please make sure you have not enabled any Spark ACLs in your cluster. To verify you can check parameter settings via Ambari or Cloudera Manager UI -> spark configurations -> search for parameter spark.history.ui.acls.enable / spark.acls.enable and check if the value is enabled or disabled. To mitigate this issue you can disable Spark ACLs. 

15,828 Views
0 Kudos

avatar
author-rank jeromedruais
Explorer

Created ‎09-02-2022 08:14 AM

Thanks for this answer I haven't seen before today.
Does the community should provide a fix for Spark 2 versions ?

15,682 Views
0 Kudos

avatar
author-rank jeromedruais
Explorer

Created ‎09-20-2022 05:51 AM

Hello,
parameters you mentioned do not appear in Ambari.
Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?
Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).
Thanks in advance.

15,584 Views
0 Kudos

avatar
author-rank jeromedruais
Explorer

Created ‎09-26-2022 06:57 AM

Hello @jagadeesan , @rki_ 
parameters you mentioned do not appear in Ambari.
Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?
Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).
Thanks in advance.

3,208 Views
0 Kudos

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎08-01-2022 07:58 AM

@jeromedruais Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks!

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
15,806 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements