Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 12:19:09 +0530
From: Akhil Das <akhil@...moidanalytics.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Arbitary Code Execution in Apache Spark Cluster

I see, thanks a lot for the response.

Thanks
Best Regards

On Fri, Apr 17, 2015 at 3:35 AM, <cve-assign@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >
> http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/
>
> As far as we can tell, the essence of your report is related to:
>
>   http://spark.apache.org/docs/latest/configuration.html
>   Property Name: spark.authenticate
>   Default: false
>   Meaning: Whether Spark authenticates its internal connections.
>
> If a user downloads spark-1.3.0.tgz, they will find a README.md with:
>
>   Please refer to the [Configuration guide]
>   (http://spark.apache.org/docs/latest/configuration.html)
>   in the online documentation for an overview on how to configure
>   Spark.
>
> Also, because the product is advertised as a "general-purpose cluster
> computing system," we think that downloaders would typically have some
> experience in system or network administration, and should be able to
> recognize whether a trusted network exists for all "internal
> connections."
>
> It's conceivable that the documentation should be expanded to further
> discuss the risks of the default spark.authenticate value. MITRE is
> not going to assign a CVE ID for this. It is a judgment call for the
> upstream vendor. Because the upstream vendor has a process for
> assigning CVE IDs, we feel it would be simplest and best here to use
> that process, even if it is often not used in cases of publicly known
> vulnerabilities. See the security@...che.org address on the
> http://www.apache.org/security/committers.html page. It's their
> decision on how to proceed.
>
> - --
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
>
> iQEcBAEBAgAGBQJVMDDEAAoJEKllVAevmvms7TAH/2VS+DAzJk77Z6bIa28/YNXh
> 3oErKwofEMfK7jOi0bUfglWGXRKRKA8RdyDq4TkCaoskP4buXDg/i411A8zwdoIb
> pxSO7ocq6LnpxmrMoNdOnU+6c9eEIYK/LbcLAPBXneQNt6XnNc7blTrAJAPM/tWU
> uApr3UyVNNG6W9SbeGz4tLkEPTbNBInEshpokWTn7n83iID9VvhKFJC6x4wCRb3q
> paRpxzg7N3AWjm0uSQu3UJRTpKEbyFCFt0rHn7DWVQ2fZlj4K7VXnkCNYzE1ssbZ
> S8iEhT09SKEg5sqqVN5vpuORfj7deoebnD9pbWTijUPcpXtuz/t7fYqbL+oaJ6Y=
> =mHRi
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ