Re: Re: CVE Request: Arbitary Code Execution in Apache Spark Cluster

[Kurt Seifried <kseifried () redhat com>]

You should probably CC security () apache org if you're going to pass the
decision to them rather then relying on a third party to do it (e.g.
positive control vs. "well I hope someone told them").

On 04/16/2015 04:05 PM, cve-assign () mitre org wrote:
> > http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/
>
> As far as we can tell, the essence of your report is related to:
>
>   http://spark.apache.org/docs/latest/configuration.html
>   Property Name: spark.authenticate
>   Default: false
>   Meaning: Whether Spark authenticates its internal connections.
>
> If a user downloads spark-1.3.0.tgz, they will find a README.md with:
>
>   Please refer to the [Configuration guide]
>   (http://spark.apache.org/docs/latest/configuration.html)
>   in the online documentation for an overview on how to configure
>   Spark.
>
> Also, because the product is advertised as a "general-purpose cluster
> computing system," we think that downloaders would typically have some
> experience in system or network administration, and should be able to
> recognize whether a trusted network exists for all "internal
> connections."
>
> It's conceivable that the documentation should be expanded to further
> discuss the risks of the default spark.authenticate value. MITRE is
> not going to assign a CVE ID for this. It is a judgment call for the
> upstream vendor. Because the upstream vendor has a process for
> assigning CVE IDs, we feel it would be simplest and best here to use
> that process, even if it is often not used in cases of publicly known
> vulnerabilities. See the security () apache org address on the
> http://www.apache.org/security/committers.html page. It's their
> decision on how to proceed.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature