Date: Fri, 17 Apr 2015 12:19:09 +0530 From: Akhil Das <akhil@...moidanalytics.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: Arbitary Code Execution in Apache Spark Cluster I see, thanks a lot for the response. Thanks Best Regards On Fri, Apr 17, 2015 at 3:35 AM, <cve-assign@...re.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/ > > As far as we can tell, the essence of your report is related to: > > http://spark.apache.org/docs/latest/configuration.html > Property Name: spark.authenticate > Default: false > Meaning: Whether Spark authenticates its internal connections. > > If a user downloads spark-1.3.0.tgz, they will find a README.md with: > > Please refer to the [Configuration guide] > (http://spark.apache.org/docs/latest/configuration.html) > in the online documentation for an overview on how to configure > Spark. > > Also, because the product is advertised as a "general-purpose cluster > computing system," we think that downloaders would typically have some > experience in system or network administration, and should be able to > recognize whether a trusted network exists for all "internal > connections." > > It's conceivable that the documentation should be expanded to further > discuss the risks of the default spark.authenticate value. MITRE is > not going to assign a CVE ID for this. It is a judgment call for the > upstream vendor. Because the upstream vendor has a process for > assigning CVE IDs, we feel it would be simplest and best here to use > that process, even if it is often not used in cases of publicly known > vulnerabilities. See the security@...che.org address on the > http://www.apache.org/security/committers.html page. It's their > decision on how to proceed. > > - -- > CVE assignment team, MITRE CVE Numbering Authority > M/S M300 > 202 Burlington Road, Bedford, MA 01730 USA > [ PGP key available through http://cve.mitre.org/cve/request_id.html ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (SunOS) > > iQEcBAEBAgAGBQJVMDDEAAoJEKllVAevmvms7TAH/2VS+DAzJk77Z6bIa28/YNXh > 3oErKwofEMfK7jOi0bUfglWGXRKRKA8RdyDq4TkCaoskP4buXDg/i411A8zwdoIb > pxSO7ocq6LnpxmrMoNdOnU+6c9eEIYK/LbcLAPBXneQNt6XnNc7blTrAJAPM/tWU > uApr3UyVNNG6W9SbeGz4tLkEPTbNBInEshpokWTn7n83iID9VvhKFJC6x4wCRb3q > paRpxzg7N3AWjm0uSQu3UJRTpKEbyFCFt0rHn7DWVQ2fZlj4K7VXnkCNYzE1ssbZ > S8iEhT09SKEg5sqqVN5vpuORfj7deoebnD9pbWTijUPcpXtuz/t7fYqbL+oaJ6Y= > =mHRi > -----END PGP SIGNATURE----- >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ