CVE-2017-12612

HIGH

Apache Spark 1.6.0-2.1.1 - Remote Code Execution via Launcher API Deserialization

Title source: llm

Description

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/100823

Mailing List, Vendor Advisory x_refsource_misc

https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E

Scores

CVSS v3 7.8

EPSS 0.0007

EPSS Percentile 20.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (12)

apache/spark 1.6.0

apache/spark 1.6.1

apache/spark 1.6.2

apache/spark 1.6.3

apache/spark 2.0.0

apache/spark 2.0.1

apache/spark 2.0.2

apache/spark 2.1.0

apache/spark 2.1.1

org.apache.spark/spark-core_2.10 0 - 2.1.2Maven

... and 2 more

Published Sep 13, 2017

Tracked Since Feb 18, 2026