Apache Spark CVE-2018-17190 Remote Code Execution Vulnerability

Bugtraq ID:	105976
Class:	Input Validation Error
CVE:	CVE-2018-17190
Remote:	Yes
Local:	No
Published:	Nov 18 2018 12:00AM
Updated:	Nov 18 2018 12:00AM
Credit:	Andre Protas, Apple Information Security
Vulnerable:	Citrix XenServer 7.6 Apache Spark 2.4 Apache Spark 2.3 Apache Spark 2.2 Apache Spark 2.1.1 Apache Spark 2.1 Apache Spark 2.0.2 Apache Spark 2.0.1 Apache Spark 2.0 Apache Spark 1.6.3 Apache Spark 1.6.1 Apache Spark 1.6 Apache Spark 1.5 Apache Spark 1.4 Apache Spark 1.3.1 Apache Spark 1.3 Apache Spark 1.2.1 Apache Spark 1.2 Apache Spark 1.1.1 Apache Spark 1.1 Apache Spark 1.0.2 Apache Spark 1.0.1 Apache Spark 1.0 Apache Spark 0.9.2 Apache Spark 0.9.1 Apache Spark 0.9 Apache Spark 0.8.1 Apache Spark 0.8 Apache Spark 0.7.3 Apache Spark 0.7.2 Apache Spark 0.7 Apache Spark 0.6.2 Apache Spark 0.6.1 Apache Spark 0.6 Apache Spark 0.5.2 Apache Spark 2.5
Not Vulnerable:

Apache Spark CVE-2018-17190 Remote Code Execution Vulnerability

Apache Spark is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application.
All versions of Apache Spark are vulnerable.

Apache Spark CVE-2018-17190 Remote Code Execution Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at [email protected].

Apache Spark CVE-2018-17190 Remote Code Execution Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Apache Spark CVE-2018-17190 Remote Code Execution Vulnerability

References:

• Apache Spark Homepage (Apache)
  
• CVE-2018-17190: Unsecured Apache Spark standalone executes user code (Apache)