Miggo Logo

CVE-2017-12612: Apache Spark Deserialization of Untrusted Data vulnerability

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.37125%
Published
11/9/2018
Updated
11/26/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.spark:spark-core_2.11maven< 2.1.22.1.2
org.apache.spark:spark-core_2.10maven< 2.1.22.1.2
pysparkpip< 2.1.22.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe deserialization in Spark's launcher API socket communication. The LauncherServer class's connection handler (ServerConnection.run) would be responsible for reading and deserializing commands. Vulnerable versions use raw ObjectInputStream for deserialization, while patched versions add validation(). The function appears in stack traces when malicious payloads are deserialized during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** Sp*rk *.*.* until *.*.*, t** l*un***r *PI p*r*orms uns*** **s*ri*liz*tion o* **t* r***iv** *y its so*k*t. T*is m*k*s *ppli**tions l*un**** pro*r*mm*ti**lly usin* t** l*un***r *PI pot*nti*lly vuln*r**l* to *r*itr*ry *o** *x**ution *y *n *tt*

Reasoning

T** vuln*r**ility st*ms *rom uns*** **s*ri*liz*tion in Sp*rk's l*un***r *PI so*k*t *ommuni**tion. T** `L*un***rS*rv*r` *l*ss's *onn**tion **n*l*r (`S*rv*r*onn**tion.run`) woul* ** r*sponsi*l* *or r***in* *n* **s*ri*lizin* *omm*n*s. Vuln*r**l* v*rsion