7.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-12612

GHSA ID

GHSA-8rhc-48pp-52gr

EPSS Score

0.37125%

CWE

CWE-502

Published

11/9/2018

Updated

11/26/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-12612

CVE-2017-12612: Apache Spark Deserialization of Untrusted Data vulnerability

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.1.2, 2.2.0 or later.

(GitHub Advisory)

7.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-12612

GHSA ID

GHSA-8rhc-48pp-52gr

EPSS Score

0.37125%

CWE

CWE-502

Published

11/9/2018

Updated

11/26/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.spark:spark-core_2.11	maven	< 2.1.2	2.1.2
org.apache.spark:spark-core_2.10	maven	< 2.1.2	2.1.2
pyspark	pip	< 2.1.2	2.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe deserialization in Spark's launcher API socket communication. The LauncherServer class's connection handler (ServerConnection.run) would be responsible for reading and deserializing commands. Vulnerable versions use raw ObjectInputStream for deserialization, while patched versions add validation(). The function appears in stack traces when malicious payloads are deserialized during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** Sp*rk *.*.* until *.*.*, t** l*un***r *PI p*r*orms uns*** **s*ri*liz*tion o* **t* r***iv** *y its so*k*t. T*is m*k*s *ppli**tions l*un**** pro*r*mm*ti**lly usin* t** l*un***r *PI pot*nti*lly vuln*r**l* to *r*itr*ry *o** *x**ution *y *n *tt*

Reasoning

T** vuln*r**ility st*ms *rom uns*** **s*ri*liz*tion in Sp*rk's l*un***r *PI so*k*t *ommuni**tion. T** `L*un***rS*rv*r` *l*ss's *onn**tion **n*l*r (`S*rv*r*onn**tion.run`) woul* ** r*sponsi*l* *or r***in* *n* **s*ri*lizin* *omm*n*s. Vuln*r**l* v*rsion

7.8

Basic Information

Concerned about an active attack path?

CVE-2017-12612: Apache Spark Deserialization of Untrusted Data vulnerability

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI