CVE-2023-32007 – This vulnerability allows authenticated users t... (How to Fix)

Q: What is the severity of CVE-2023-32007?

CVE-2023-32007 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users to impersonate arbitrary users in Apache Spark UI when ACLs are enabled, leading to arbitrary shell command execution as the Spark service account. It affects unsupported versions of Apache Spark where ACLs are configured. This is essentially a re-disclosure of CVE-2022-33891 with corrected version information.

📋 TL;DR

This vulnerability allows authenticated users to impersonate arbitrary users in Apache Spark UI when ACLs are enabled, leading to arbitrary shell command execution as the Spark service account. It affects unsupported versions of Apache Spark where ACLs are configured. This is essentially a re-disclosure of CVE-2022-33891 with corrected version information.

💻 Affected Systems

Products:

Apache Spark

Versions: Versions prior to 3.4.0 (specifically affects versions incorrectly claimed as safe in CVE-2022-33891 disclosure)

Operating Systems: All operating systems running Apache Spark

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when spark.acls.enable=true is configured. The vulnerability affects products no longer supported by maintainers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Spark server with arbitrary command execution as the Spark service account, potentially leading to data theft, lateral movement, or complete system takeover.

🟠

Likely Case

Authenticated attackers with access to Spark UI can execute arbitrary commands, potentially accessing sensitive data or disrupting Spark operations.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to the Spark service account's permissions on the affected server.

🌐 Internet-Facing: HIGH if Spark UI is exposed to the internet with ACLs enabled, as authenticated users can achieve RCE.

🏢 Internal Only: MEDIUM for internal deployments with ACLs enabled, as attackers still need authentication but can achieve RCE once authenticated.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to Spark UI and ACLs to be enabled. The vulnerability was previously disclosed as CVE-2022-33891.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.0

Vendor Advisory: https://spark.apache.org/security.html

Restart Required: Yes

Instructions:

1. Upgrade Apache Spark to version 3.4.0 or later. 2. Restart all Spark services. 3. Verify ACL functionality if required for your use case.

🔧 Temporary Workarounds

Disable ACLs

all

Set spark.acls.enable=false to remove the vulnerable code path

spark.acls.enable=false

Network Isolation

all

Restrict access to Spark UI to trusted networks only

🧯 If You Can't Patch

Disable spark.acls.enable configuration option
Implement strict network access controls to limit Spark UI access to essential personnel only

🔍 How to Verify

Check if Vulnerable:

Check if spark.acls.enable=true in Spark configuration files and version is prior to 3.4.0

Check Version:

spark-submit --version

Verify Fix Applied:

Verify Spark version is 3.4.0 or later and test ACL functionality if required

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands executed by Spark process
Authentication attempts with unusual usernames in Spark logs
Error logs related to ACL permission checks

Network Indicators:

Unusual outbound connections from Spark servers
Traffic patterns suggesting command execution

SIEM Query:

source="spark.logs" AND ("spark.acls" OR "HttpSecurityFilter") AND (command_execution OR shell)

📊 Metadata

CVE ID: CVE-2023-32007

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: May 2, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/05/02/1 Mailing List
https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv Mailing List
https://spark.apache.org/security.html Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2022-33891 Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/05/02/1 Mailing List
https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv Mailing List
https://spark.apache.org/security.html Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2022-33891 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32007, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Spark by Apache

Spark by Apache

Spark by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable ACLs

Network Isolation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities