CVE-2023-32007 Overview
CVE-2023-32007 is a command injection vulnerability in Apache Spark affecting unsupported versions. The Apache Spark UI offers the ability to enable ACLs via the configuration option spark.acls.enable. When ACLs are enabled with an authentication filter, a code path in HttpSecurityFilter can allow an attacker to perform impersonation by providing an arbitrary user name. A malicious user can then reach a permission check function that builds a Unix shell command based on their input, resulting in arbitrary shell command execution as the user Spark is currently running as.
This vulnerability was previously disclosed as CVE-2022-33891, but that advisory incorrectly claimed version 3.1.3 would not be affected. This CVE corrects that disclosure for the affected unsupported versions.
Critical Impact
This vulnerability enables arbitrary shell command execution on Apache Spark instances with ACLs enabled, potentially allowing complete system compromise through user impersonation.
Affected Products
- Apache Spark (unsupported versions including 3.1.3 and earlier)
- Apache Spark versions prior to 3.4.0 with ACLs enabled
- Systems running Apache Spark with spark.acls.enable configuration option active
Discovery Timeline
- 2023-05-02 - CVE CVE-2023-32007 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-32007
Vulnerability Analysis
This vulnerability is classified under CWE-77 (Command Injection). The flaw exists in the access control implementation within Apache Spark's UI component. When ACL functionality is enabled through spark.acls.enable, the system is designed to verify user permissions for viewing or modifying applications. However, a weakness in the HttpSecurityFilter component allows attackers to bypass authentication by supplying arbitrary user names.
The attack requires network access and low-privilege authentication to exploit. Once an attacker successfully impersonates a user, they can reach internal permission checking functions that unsafely construct Unix shell commands using attacker-controlled input. This results in command injection, allowing the attacker to execute arbitrary commands with the privileges of the Spark process.
Root Cause
The root cause is improper input validation and sanitization in the HttpSecurityFilter component. When processing user authentication information, the filter fails to properly validate or sanitize user-supplied data before using it in operations that ultimately lead to shell command construction. The permission check function does not adequately escape or validate input before incorporating it into Unix shell commands, creating a classic command injection vulnerability.
Attack Vector
The attack is network-based and requires an authenticated attacker with low privileges. The exploitation flow involves:
- The attacker identifies a Spark instance with ACLs enabled via spark.acls.enable
- The attacker crafts a malicious request with a specially formed user name
- The HttpSecurityFilter accepts the arbitrary user name, enabling impersonation
- The attacker navigates to functionality that triggers permission checking
- The permission check function constructs a Unix shell command using the malicious input
- The injected command executes with the privileges of the Spark process
The vulnerability does not require user interaction and can be exploited remotely. For detailed technical information, refer to the Openwall Security Discussion and the Apache Mailing List Thread.
Detection Methods for CVE-2023-32007
Indicators of Compromise
- Unusual user names appearing in Spark UI authentication logs containing shell metacharacters (;, |, $(), backticks)
- Unexpected processes spawned as child processes of the Spark application
- Anomalous outbound network connections from Spark worker nodes
- Authentication attempts with crafted user names targeting the Spark UI endpoints
Detection Strategies
- Monitor Spark UI access logs for requests containing suspicious characters in user name fields
- Implement network-level monitoring for unusual traffic patterns to and from Spark instances
- Deploy endpoint detection to identify unexpected command execution from Spark processes
- Review authentication logs for impersonation attempts or repeated access pattern anomalies
Monitoring Recommendations
- Enable verbose logging on Apache Spark instances and forward logs to a SIEM platform
- Configure alerting for any shell command execution spawned by Spark processes
- Monitor for modifications to Spark configuration files, particularly ACL-related settings
- Implement file integrity monitoring on critical Spark installation directories
How to Mitigate CVE-2023-32007
Immediate Actions Required
- Upgrade Apache Spark to version 3.4.0 or later, which is a supported release
- If immediate upgrade is not possible, consider disabling the Spark UI entirely
- Restrict network access to Spark UI to trusted IP ranges only
- Review and audit all Spark instances for ACL configurations using spark.acls.enable
- Implement network segmentation to isolate Spark clusters from untrusted networks
Patch Information
Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0 or later. The affected versions are no longer supported by the Apache Spark maintainers, making upgrade the primary remediation path. Consult the Apache Spark Security Overview for official security guidance and upgrade instructions.
Workarounds
- Disable ACLs by setting spark.acls.enable=false if the feature is not required (note: this reduces security in other ways)
- Place the Spark UI behind a reverse proxy with strong authentication controls
- Use firewall rules to restrict Spark UI access to only authorized administrators
- Implement network-level access controls to prevent untrusted users from reaching Spark endpoints
# Configuration example
# Restrict Spark UI binding to localhost only (prevents external access)
spark.ui.bindAddress=127.0.0.1
# If ACLs must remain enabled, ensure proper authentication is configured
spark.authenticate=true
spark.authenticate.secret=<your-secure-secret>
# Limit UI access through configuration
spark.ui.reverseProxy=true
spark.ui.reverseProxyUrl=https://your-secure-proxy.example.com/spark
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
