Ted Yu created SPARK-11682:
------------------------------
Summary: Commons-collections object deserialization may expose
remote command execution vulnerability
Key: SPARK-11682
URL: https://issues.apache.org/jira/browse/SPARK-11682
Project: Spark
Issue Type: Bug
Reporter: Ted Yu
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
TL;DR: If you have commons-collections on your classpath and accept and process
Java object serialization data, then you may have an exploitable remote command
execution vulnerability.
In ./launcher/src/main/java/org/apache/spark/launcher/LauncherConnection.java :
{code}
ObjectInputStream in = new ObjectInputStream(socket.getInputStream());
while (!closed) {
Message msg = (Message) in.readObject();
{code}
There may be other occurrence(s).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
