Security Bulletin: Vulnerability in PySpark affects IBM Analytics Engine (CVE-2018-11760)

Summary

When using PySpark, it’s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.

Vulnerability Details

CVE-ID: CVE-2018-11760

DESCRIPTION: Apache Spark could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw when using PySpark. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to connect to the Spark application and impersonate the user running the Spark application.

CVSS Base Score: 7.8

CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/156245&gt; for more information

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

• IBM Analytics Engine 1.1
• IBM Analytics Engine 1.0

Remediation/Fixes

1. IBM Analytics Engine 1.2 is not affected by this vulnerability.
2. IBM Analytics Engine 1.0 is deprecated and no new provisioning is allowed as of May 15 2019. Users with existing IBM Analytics Engine 1.0 clusters must upgrade to IBM Analytics Engine 1.2 by creating new clusters.
3. IBM Analytics Engine 1.1 will be deprecated and no new provisioning will be allowed as of August 30 2019. Users with existing IBM Analytics Engine 1.1 clusters must upgrade to IBM Analytics Engine 1.2 by creating new clusters.

Workarounds and Mitigations

None.