Support Questions

Find answers, ask questions, and share your expertise

CVE-2022-33891

Hello, a new CVE appears on Apache Spark. Does it impact every versions of Spark ?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891

Thanks in advance for your help.

7 REPLIES 7

Expert Contributor

Hi @jeromedruais, this is a snown security issue CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI reported in https://spark.apache.org/security.html

For mitigation, update to Spark 3.1.3, 3.2.2, or 3.3.0 or later

Thanks @jagadeesan for your answer.
So, will you provide fixes for any HDP or CDP version to mitigate this issue ?

 

Expert Contributor

@jeromedruais  Cluster is affected by the CVE-2022-33891 if only when the GroupMappingServiceProvider is called, i.e., when spark.history.ui.acls.enable / spark.acls.enable is enabled. Please make sure you have not enabled any Spark ACLs in your cluster. To verify you can check parameter settings via Ambari or Cloudera Manager UI -> spark configurations -> search for parameter spark.history.ui.acls.enable / spark.acls.enable and check if the value is enabled or disabled. To mitigate this issue you can disable Spark ACLs. 

Thanks for this answer I haven't seen before today.
Does the community should provide a fix for Spark 2 versions ?

Hello,
parameters you mentioned do not appear in Ambari.
Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?
Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).
Thanks in advance.

Hello @jagadeesan , @rki_ 
parameters you mentioned do not appear in Ambari.
Does that mean our clusters are running with the default settings, exposing the clusters to the vulnerability ?
Please, could you provide the way to set this parameters (which custom settings for Spark 1 and Spark 2 as well as the keys and values).
Thanks in advance.

Community Manager

@jeromedruais Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks!


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.