Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 16 Apr 2015 18:05:30 -0400 (EDT)
From: cve-assign@...re.org
To: akhil@...moidanalytics.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Arbitary Code Execution in Apache Spark Cluster

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/

As far as we can tell, the essence of your report is related to:

  http://spark.apache.org/docs/latest/configuration.html
  Property Name: spark.authenticate
  Default: false
  Meaning: Whether Spark authenticates its internal connections.

If a user downloads spark-1.3.0.tgz, they will find a README.md with:

  Please refer to the [Configuration guide]
  (http://spark.apache.org/docs/latest/configuration.html)
  in the online documentation for an overview on how to configure
  Spark.

Also, because the product is advertised as a "general-purpose cluster
computing system," we think that downloaders would typically have some
experience in system or network administration, and should be able to
recognize whether a trusted network exists for all "internal
connections."

It's conceivable that the documentation should be expanded to further
discuss the risks of the default spark.authenticate value. MITRE is
not going to assign a CVE ID for this. It is a judgment call for the
upstream vendor. Because the upstream vendor has a process for
assigning CVE IDs, we feel it would be simplest and best here to use
that process, even if it is often not used in cases of publicly known
vulnerabilities. See the security@...che.org address on the
http://www.apache.org/security/committers.html page. It's their
decision on how to proceed.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVMDDEAAoJEKllVAevmvms7TAH/2VS+DAzJk77Z6bIa28/YNXh
3oErKwofEMfK7jOi0bUfglWGXRKRKA8RdyDq4TkCaoskP4buXDg/i411A8zwdoIb
pxSO7ocq6LnpxmrMoNdOnU+6c9eEIYK/LbcLAPBXneQNt6XnNc7blTrAJAPM/tWU
uApr3UyVNNG6W9SbeGz4tLkEPTbNBInEshpokWTn7n83iID9VvhKFJC6x4wCRb3q
paRpxzg7N3AWjm0uSQu3UJRTpKEbyFCFt0rHn7DWVQ2fZlj4K7VXnkCNYzE1ssbZ
S8iEhT09SKEg5sqqVN5vpuORfj7deoebnD9pbWTijUPcpXtuz/t7fYqbL+oaJ6Y=
=mHRi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.