DNIF on-premise software versions 9.1.1 and below may be vulnerable to the command injection vulnerability impacting Apache Spark version 3.0.3 and earlier, as well as 3.1.1 to 3.1.2 and 3.2.0 to 3.2.1. An upgrade to DNIF on-premise software version 9.2.0 or DNIF Hypercloud SAAS is recommended to be fully mitigated of this security issue.
Apache Spark is an open-source unified analytics engine for large-scale data processing. A critical blind command injection vulnerability has been discovered in Apache Spark. This flaw enables an attacker to execute arbitrary code on the system where Apache Spark is deployed as a current Spark user. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it.
Summary of Impact on DNIF Deployments
The DNIF Product Security team has been assessing both our on-premise and SaaS offerings for similar issues and we can confirm that DNIF on-premise versions 9.1.1 and below might be vulnerable to the command injection. The DNIF Hypercloud SAAS platform is built around a brand new cloud-native architecture and is not affected by any of these issues.
|DNIF version||Spark version||Vulnerable|
|9.1.1 or below||3.1.1||Yes|
|9.2.0 HyperCloud SAAS||N/A||No|
The DNIF on-premise software uses Apache Spark but with the default configuration. The exploit has a pre-condition which requires the ACLs to be enabled which should not be the case in any of the DNIF on-premise software versions. Also, the Apache Spark UI is not exposed to the internet which blocks the attacker from sending any payloads to carry out the attack. It is highly unlikely to be exploited but we would still recommend users to upgrade to DNIF version 9.2.0 or DNIF Hypercloud SAAS to be fully mitigated of this vulnerability.