CVE-2020-9480: Apache Spark Remote Code Execution Vulnerability Alert

Recently, Apache Spark officially released the Apache Spark remote code execution risk notice. The vulnerability number is CVE-2020-9480, and the vulnerability level is high risk.

Apache Spark is an open-source distributed general-purpose cluster-computing framework. Spark provides an interface for programming entire clusters with implicit data parallelism and fault tolerance.

In Apache Spark 2.4.5 and earlier, the main server of the independent resource manager may be configured to require authentication through a shared key (spark.authenticate). However, due to flaws in Spark’s authentication mechanism, shared key authentication has failed. An attacker could exploit this vulnerability to execute commands on the host without authorization, resulting in remote code execution.

Vulnerability details

In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine.

Affected version

• Apache Spark：<=2.4.5

Solution

Upgrade to Spark version 2.4.6 or Spark version 3.0.0.