IBM Support

Security Bulletin: A vulnerability in Apache Spark affects multiple IBM Spectrum Conductor versions

Created by Xue Zhou Yuan on
Published URL:
https://www.ibm.com/support/pages/node/876262
876262

Security Bulletin


Summary

A vulnerability exists in Apache Spark versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1, impacts multiple IBM Spectrum Conductor versions which integrate these Apache Spark versions. Apache Spark versions 2.2.3 or newer and 2.3.2 or newer provide a fix for this vulnerability (see 'Vulnerability Details').

This advisory provides notification of an updated Spark 2.3.3 package that includes the Apache Spark fix and is now available for use in your IBM Spectrum Conductor cluster.

Vulnerability Details

CVEID: CVE-2018-11760
DESCRIPTION: Apache Spark could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw when using PySpark. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to connect to the Spark application and impersonate the user running the Spark application.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/156245 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Conductor with Spark v2.2.1
IBM Spectrum Conductor v2.3.0

Remediation/Fixes

Download the remediation package that applies to your product version from IBM Fix Central:
Product VRMF APAR Remediation/First Fix
IBM Spectrum Conductor with Spark 2.2.1 P102904 Spark2.3.3-Conductor2.2.1.tgz
IBM Spectrum Conductor 2.3.0 P102904 Spark2.3.3-Conductor2.3.0.tgz

IBM Spectrum Conductor with Spark 2.2.1

Follow these instructions (which use Linux x86_64 as an example):

Before installation
a. Log on to the master host as the cluster administrator and stop the "ascd" service:
  > egosh user logon -u Admin -x Admin
  > egosh service stop ascd
b. For recovery purposes, log on to each management host in the cluster and back up the following files to another directory:
  $EGO_TOP/ascd/2.2.1/lib/asc-common-2.2.1.jar
  $EGO_TOP/ascd/2.2.1/lib/asc-core-2.2.1.jar
Installation
a. Log on to each management host in your cluster, unzip the cws-2.2.1.0_build515153.tar.gz package, for example:
  > mkdir -p /tmp/fix515153
  > tar zoxf cws-2.2.1.0_build515153.tar.gz -C /tmp/fix515153
  > tar zoxf /tmp/fix515153/lifecycle.tgz -C $EGO_TOP
b. Start the "ascd" service:
  > egosh user logon -u Admin -x Admin
  > egosh service start ascd
c. Launch your web browser and clear the browser cache.
d. Log in to the cluster management console as an administrator.
e. Add the Spark 2.3.3 package to your cluster.
     a) Click Workload > Spark > Version Management.
     b) Click Add.
     c) Click Browse and select the /tmp/fix515153/Spark2.3.3-Conductor2.2.1.tgz.
     d) Click Add.
f. Create a new Spark instance group that uses the new Spark version package. For details, see Creating Spark instance groups.
Uninstallation
If required, follow the instructions in this section to uninstall this interim fix on hosts in your cluster.
a. Log on to the master host as the cluster administrator and stop the "ascd" service:
    > egosh user logon -u Admin -x Admin
  > egosh service stop ascd
b. On each management host, restore your backup for the following files:
  $EGO_TOP/ascd/2.2.1/lib/asc-common-2.2.1.jar
  $EGO_TOP/ascd/2.2.1/lib/asc-core-2.2.1.jar
c. Start the "ascd" service:
  > egosh user logon -u Admin -x Admin
  > egosh service start ascd

IBM Spectrum Conductor 2.3.0

Follow these instructions (which use Linux x86_64 as an example):

Installation
1. On your client host, unzip the sc-2.3.0.0_build514889.tar.gz package, for example:
  > mkdir -p /tmp/fix514889
     > tar zoxf sc-2.3.0.0_build514889.tar.gz -C /tmp/fix514889 
2. Launch your web browser and clear the browser cache.
3. Navigate to the cluster management console and log in as an administrator.
4. Remove the Spark 2.3.3 package if it already exists:
    a. Click Workload > Spark > Version Management.
    b. Select the Spark version.
    c. Click Remove.
5. Add the Spark 2.3.3 package to your cluster.
    a. Click Workload > Spark > Version Management.
    b. Click Add.
    c. Click Browse and select the /tmp/fix514889/Spark2.3.3-Conductor2.3.0.tgz.
    d. Click Add.
Configuration
a. Click Workload > Spark > Notebook Management.
b. Click Configure.
c. On the Environment Variables tab, add input parameter ",2.3.3" in "supported_spark_versions" input box.For example,
    supported_spark_versions: 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.1, 2.3.3
d. Click Update Notebook.
e. Click Go to Instance Group List.

Workarounds and Mitigations

  None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

Mar 18, 2019 : original version created
Mar 19, 2019 : update summary and URL of fixes; suspend
Apr 10, 2019 : publish

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4H63","label":"IBM Spectrum Conductor"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.2.1;2.3.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
11 April 2019

UID

ibm10876262

Page Feedback