Apache Spark History Server Code Execution Vulnerability

A code execution vulnerability has been identified in the Apache Spark History Server, affecting versions prior to 3.5.7 and 4.0.1. The issue arises from overly permissive deserialization of event log data by Jackson, which allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads. These payloads can trigger the deserialization of arbitrary classes, leading to command execution on the host running the Spark History Server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the Spark History Server is running, potentially compromising the entire system.

Reproduction

To reproduce this vulnerability, first run Apache Spark with event logging enabled, directing the logs to a writable directory. Next, inject crafted JSON into the beginning of an event log file, specifying a class name that can perform malicious actions, such as opening a JDBC connection to an attacker-controlled server. Finally, start the Spark History Server with the logs pointing to the modified directory. The server will deserialize the injected JSON and execute the specified actions, confirming the successful exploitation of the vulnerability.

Remediation

Users are advised to upgrade to Apache Spark versions 3.5.7 or 4.0.1 and above, where this vulnerability has been fixed.