By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2022-31777

Cross-Site Scripting

Affects

Apache Spark

3.3.0 <=3.2.1

Apache Spark

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Spark is an open-source, distributed computing framework designed for big data processing and analytics, offering high-speed performance through in-memory computation and a unified engine for diverse workloads like batch processing, streaming, and machine learning.

In some versions of Spark, it’s possible for a malicious script to be stored in the logs. When the user views the logs via the UI, the script is executed (this is a cross-site scripting vulnerability (XSS)).

A cross-site scripting (XSS) vulnerability is a type of security flaw that allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

Session hijacking
Data theft
Malware distribution
Defacement or phishing and
Privilege escalation.

‍

Details

Module Info

Product: Apache Spark

Affected packages: Apache Spark

Affected versions

<=3.2.1
3.3.0

GitHub Repo: https://github.com/apache/spark

Published packages: Apache Spark

Package manager: npm

‍

Vulnerability Info

This medium-severity vulnerability is found in the main package of Apache Spark.

‍

Steps To Reproduce

Set up an Apache Spark environment that is vulnerable to this exploit, such as 3.2.1. Configure Spark to run with the UI enabled.
Run in local mode.
Because the XSS occurs when Spark renders logs without properly sanitizing them, an attacker needs to insert a malicious script (e.g., <script>alert('XSS')</script>) into the logs.
Create a simple script that inserts a malicious payload:

import org.apache.spark.sql.SparkSession

object XSSDemo {
  def main(args: Array[String]): Unit = {
    val spark = SparkSession.builder()
      .appName("XSS Test")
      .master("local[*]")
      .getOrCreate()

    val log = spark.sparkContext.log
    log.warn("<script>alert('XSS')</script>") // Inject the payload into logs

    spark.stop()
  }
}

‍

Compile and run with:

./bin/spark-submit --class XSSDemo --master spark://<your-machine>:7077 /path/to/your.jar

‍

Navigate to the logs via the Spark UI and view the malicious log entry.
The browser will render the <script>alert('XSS')</script> as executable JavaScript, and you’ll see an alert pop-up with “XSS” that was stored in the logs.

‍

Addressing the Issue.

Users of the affected components should apply one of the following mitigations:

Upgrade to a secure version of the software.
Restrict access to the Spark UI.
Install authentication and a Web Application Firewall, if either are already missing.
Add sanitization to any process that permits user-supplied text to enter the logs. (One could add a sanitization wrapper around the logging object.)
Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.

‍