Support Questions

Find answers, ask questions, and share your expertise

CVE-2022-33891

avatar

Hello, a new CVE appears on Apache Spark. Does it impact every versions of Spark ?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891

Thanks in advance for your help.

7 REPLIES 7

avatar
Master Collaborator

Hi @jeromedruais, this is a snown security issue CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI reported in https://spark.apache.org/security.html

For mitigation, update to Spark 3.1.3, 3.2.2, or 3.3.0 or later

avatar

Thanks @jagadeesan for your answer.
So, will you provide fixes for any HDP or CDP version to mitigate this issue ?

 

avatar
Master Collaborator

@jeromedruais  Cluster is affected by the CVE-2022-33891 if only when the GroupMappingServiceProvider is called, i.e., when spark.history.ui.acls.enable / spark.acls.enable is enabled. Please make sure you have not enabled any Spark ACLs in your cluster. To verify you can check parameter settings via Ambari or Cloudera Manager UI -> spark configurations -> search for parameter spark.history.ui.acls.enable / spark.acls.enable and check if the value is enabled or disabled. To mitigate this issue you can disable Spark ACLs. 

avatar

Thanks for this answer I haven't seen before today.
Does the community should provide a fix for Spark 2 versions ?

avatar

Hello,
parameters you mentioned do not appear in Ambari.
Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?
Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).
Thanks in advance.

avatar

Hello @jagadeesan , @rki_ 
parameters you mentioned do not appear in Ambari.
Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?
Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).
Thanks in advance.

avatar
Community Manager

@jeromedruais Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks!


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: