This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Apache Spark UI has an OS Command Injection flaw. <br>π₯ **Consequences**: Remote attackers can execute arbitrary system commands on the target host via crafted URLs. Itβs a critical RCE risk.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: CWE-78 (OS Command Injection). <br>π **Flaw**: Incorrect input validation in the **ACL (Access Control List)** feature of the Spark UI. Malicious input isn't sanitized before execution.
Q3Who is affected? (Versions/Components)
π¦ **Affected Versions**: <br>β’ Spark 3.0.3 and earlier <br>β’ Spark 3.1.1 to 3.1.2 <br>β’ Spark 3.2.0 to 3.2.1 <br>π’ **Vendor**: Apache Software Foundation.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Full OS command execution. <br>π **Data**: Depends on the user running the Spark driver. Attackers can read/write files, install backdoors, or pivot to other systems.
Q5Is exploitation threshold high? (Auth/Config)
β οΈ **Threshold**: **Low to Medium**. <br>π **Auth/Config**: Exploitation requires `spark.acls.enable=TRUE`. If ACLs are disabled by default, this specific vector might not trigger, but many enterprise setups enable it.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exp?**: **YES**. Multiple Python PoCs exist (e.g., `cve_2022_33891_poc.py`). A Metasploit module is also merged. Wild exploitation is highly likely.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1. Check Spark version. <br>2. Verify if `spark.acls.enable` is TRUE. <br>3. Scan for the `?doAs=` parameter in HTTP requests to port 8080. <br>4. Use DNSlog payloads to confirm injection.
π₯ **Urgency**: **CRITICAL**. <br>π **Priority**: Patch immediately. Since PoCs and Metasploit modules are public, automated scanners and attackers are actively hunting this. Do not wait.