Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 12:19:09 +0530
From: Akhil Das <>
Subject: Re: CVE Request: Arbitary Code Execution in Apache Spark Cluster

I see, thanks a lot for the response.

Best Regards

On Fri, Apr 17, 2015 at 3:35 AM, <> wrote:

> Hash: SHA1
> >
> As far as we can tell, the essence of your report is related to:
>   Property Name: spark.authenticate
>   Default: false
>   Meaning: Whether Spark authenticates its internal connections.
> If a user downloads spark-1.3.0.tgz, they will find a with:
>   Please refer to the [Configuration guide]
>   (
>   in the online documentation for an overview on how to configure
>   Spark.
> Also, because the product is advertised as a "general-purpose cluster
> computing system," we think that downloaders would typically have some
> experience in system or network administration, and should be able to
> recognize whether a trusted network exists for all "internal
> connections."
> It's conceivable that the documentation should be expanded to further
> discuss the risks of the default spark.authenticate value. MITRE is
> not going to assign a CVE ID for this. It is a judgment call for the
> upstream vendor. Because the upstream vendor has a process for
> assigning CVE IDs, we feel it would be simplest and best here to use
> that process, even if it is often not used in cases of publicly known
> vulnerabilities. See the address on the
> page. It's their
> decision on how to proceed.
> - --
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through ]
> Version: GnuPG v1.4.14 (SunOS)
> 3oErKwofEMfK7jOi0bUfglWGXRKRKA8RdyDq4TkCaoskP4buXDg/i411A8zwdoIb
> pxSO7ocq6LnpxmrMoNdOnU+6c9eEIYK/LbcLAPBXneQNt6XnNc7blTrAJAPM/tWU
> uApr3UyVNNG6W9SbeGz4tLkEPTbNBInEshpokWTn7n83iID9VvhKFJC6x4wCRb3q
> paRpxzg7N3AWjm0uSQu3UJRTpKEbyFCFt0rHn7DWVQ2fZlj4K7VXnkCNYzE1ssbZ
> S8iEhT09SKEg5sqqVN5vpuORfj7deoebnD9pbWTijUPcpXtuz/t7fYqbL+oaJ6Y=
> =mHRi

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ