Apache REST RCE CVE-2018-11770
Description
Apache Spark is an open-source distributed general-purpose cluster-computing framework that includes a REST API for cluster management and job submission.
CVE-2018-11770 affects the Apache Spark REST API, which lacks proper authentication and authorization controls by default. The REST API is intended for use only within trusted network environments and should never be exposed to untrusted networks or the public internet. When accessible from untrusted sources, attackers can exploit the API to execute unauthorized operations on the Spark cluster.
Remediation
Implement the following security controls to protect the Apache Spark REST API:
1. Restrict Network Access: Configure firewall rules to allow connections to the Spark REST port (default 6066) only from trusted IP addresses or networks. Block all public internet access.
2. Enable Authentication: Configure Spark's built-in authentication mechanism by setting the following properties in spark-defaults.conf:
spark.authenticate=true spark.authenticate.secret=<strong-random-secret>
3. Use Network Segmentation: Deploy Spark clusters in isolated network segments (VLANs or private subnets) separate from untrusted networks.
4. Enable SSL/TLS: Configure SSL encryption for REST API communications:
spark.ssl.enabled=true spark.ssl.keyStore=/path/to/keystore spark.ssl.keyStorePassword=<password>
5. Upgrade Apache Spark: Update to the latest stable version of Apache Spark which includes improved security features and patches.
6. Monitor Access: Implement logging and monitoring for all REST API access attempts to detect unauthorized access patterns.