Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-12612

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.

Published

2017-09-13T16:29:00.477

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	spark	1.6.0	Yes
Application	apache	spark	1.6.1	Yes
Application	apache	spark	1.6.2	Yes
Application	apache	spark	1.6.3	Yes
Application	apache	spark	2.0.0	Yes
Application	apache	spark	2.0.1	Yes
Application	apache	spark	2.0.2	Yes
Application	apache	spark	2.1.0	Yes
Application	apache	spark	2.1.1	Yes

References

http://www.securityfocus.com/bid/100823 Third Party Advisory, VDB Entry ([email protected])
https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E Mailing List, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/100823 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)