Login Sign Up

CVE-2020-9480

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Apache Spark's standalone resource manager and execute arbitrary shell commands on the host machine. It affects Apache Spark 2.4.5 and earlier versions when using standalone resource manager with authentication enabled. Other resource managers like YARN and Mesos are not affected.

💻 Affected Systems

Products:
  • Apache Spark
Versions: 2.4.5 and earlier
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects standalone resource manager configuration with spark.authenticate enabled. YARN, Mesos, and Kubernetes resource managers are not vulnerable.

📦 What is this software?

Business Intelligence by Oracle

View all CVEs affecting Business Intelligence →

Spark by Apache

View all CVEs affecting Spark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on Spark master nodes, allowing complete compromise of the cluster and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized application deployment leading to resource consumption, data exfiltration, or malicious code execution within the cluster.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to Spark master ports.

🌐 Internet-Facing: HIGH - Authentication bypass allows unauthenticated RCE on internet-exposed Spark masters.
🏢 Internal Only: HIGH - Even internally, this allows privilege escalation and lateral movement within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires network access to Spark master port (default 7077) and knowledge of the vulnerability. Public exploit code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Spark 2.4.6 and later

Vendor Advisory: https://spark.apache.org/security.html#CVE-2020-9480

Restart Required: Yes

Instructions:

1. Upgrade to Apache Spark 2.4.6 or later. 2. Download from official Apache Spark website. 3. Replace existing Spark installation. 4. Restart all Spark services including master and workers.

🔧 Temporary Workarounds

Disable standalone resource manager authentication

all

Remove spark.authenticate configuration to prevent exploitation, though this reduces security.

Remove or comment out spark.authenticate=true in spark-defaults.conf

Network isolation

linux

Restrict access to Spark master port (default 7077) to trusted networks only.

iptables -A INPUT -p tcp --dport 7077 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 7077 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to Spark master port (7077) to only trusted administrative networks.
  • Monitor for unusual RPC requests or unauthorized application submissions in Spark logs.

🔍 How to Verify

Check if Vulnerable:

Check Spark version: if using standalone resource manager with spark.authenticate enabled and version ≤2.4.5, system is vulnerable.

Check Version:

spark-submit --version 2>&1 | grep version

Verify Fix Applied:

Verify Spark version is 2.4.6 or later and test authentication by attempting to submit jobs without proper credentials.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized RPC requests to master
  • Application submissions without proper authentication tokens
  • Unexpected shell command execution in master logs

Network Indicators:

  • Unusual RPC traffic to port 7077 from untrusted sources
  • Application submission requests without preceding authentication handshake

SIEM Query:

source="spark-master.log" AND ("authentication failed" OR "unauthorized RPC" OR "malformed request")

📊 Metadata

CVE ID: CVE-2020-9480
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-306
Published: June 23, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9480, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)