CVE-2019-10095 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2019-10095?

CVE-2019-10095 has a CVSS score of 9.8 (CRITICAL). This CVE describes a command injection vulnerability in Apache Zeppelin's Spark interpreter settings that allows authenticated users to execute arbitrary system commands on the underlying server. The vulnerability affects Apache Zeppelin versions 0.9.0 and earlier, potentially leading to complete system compromise.

📋 TL;DR

This CVE describes a command injection vulnerability in Apache Zeppelin's Spark interpreter settings that allows authenticated users to execute arbitrary system commands on the underlying server. The vulnerability affects Apache Zeppelin versions 0.9.0 and earlier, potentially leading to complete system compromise.

💻 Affected Systems

Products:

Apache Zeppelin

Versions: 0.9.0 and all prior versions

Operating Systems: All operating systems running Apache Zeppelin

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to Zeppelin interface; Spark interpreter must be configured

📦 What is this software?

Zeppelin by Apache

View all CVEs affecting Zeppelin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level access, data exfiltration, lateral movement, and persistent backdoor installation

🟠

Likely Case

Unauthorized command execution leading to data theft, service disruption, or cryptocurrency mining

🟢

If Mitigated

Limited impact due to network segmentation, minimal privileges, and proper input validation

🌐 Internet-Facing: HIGH - Internet-facing Zeppelin instances are directly exploitable by authenticated attackers

🏢 Internal Only: MEDIUM - Requires authenticated access but can lead to significant internal network compromise

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once access is obtained

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.0-preview1 and later

Vendor Advisory: https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E

Restart Required: Yes

Instructions:

1. Upgrade to Apache Zeppelin 0.9.0-preview1 or later. 2. Stop Zeppelin service. 3. Backup configuration. 4. Install new version. 5. Restart Zeppelin service.

🔧 Temporary Workarounds

Disable Spark Interpreter

all

Temporarily disable the Spark interpreter if not required

Edit interpreter settings in Zeppelin UI to disable Spark interpreter

Network Segmentation

all

Restrict Zeppelin access to trusted networks only

Configure firewall rules to limit Zeppelin port access to authorized IPs

🧯 If You Can't Patch

Implement strict network access controls to limit Zeppelin access to trusted users only
Run Zeppelin with minimal privileges and in isolated containers/namespaces

🔍 How to Verify

Check if Vulnerable:

Check Zeppelin version; if version <= 0.9.0, system is vulnerable

Check Version:

Check Zeppelin web interface or configuration files for version information

Verify Fix Applied:

Verify Zeppelin version is 0.9.0-preview1 or later

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Suspicious interpreter setting modifications in Zeppelin logs

Network Indicators:

Unexpected outbound connections from Zeppelin server
Command and control traffic patterns

SIEM Query:

source="zeppelin" AND (event="interpreter_setting" OR event="command_execution") AND command="*;*" OR command="*|*" OR command="*`*"

📊 Metadata

CVE ID: CVE-2019-10095

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: September 2, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10095, you might also want to check these: