CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2022-28810 Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
- CVE-2022-33891 Apache Spark Command Injection Vulnerability
- CVE-2022-35914 Teclib GLPI Remote Code Execution Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CVE-2022-33891 Detail
Description
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
| Hyperlink | Resource |
|---|---|
| http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html | Exploit Third Party Advisory VDB Entry |
| https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc | Mailing List Third Party Advisory |
This CVE is in CISA’s Known Exploited Vulnerabilities Catalog
Reference CISA’s BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name | Date Added | Due Date | Required Action |
|---|---|---|---|
| Apache Spark Command Injection Vulnerability | 03/07/2023 | 03/28/2023 | Apply updates per vendor instructions. |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) |   |
Known Affected Software Configurations Switch to CPE 2.2
Configuration 1 ( hide )
| cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* Show Matching CPE(s) | Up to (including) 3.0.3 | |
| cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including) 3.1.1 | Up to (including) 3.1.2 |
| cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including) 3.2.0 | Up to (including) 3.2.1 |
Source:
https://www.cisa.gov/news-events/alerts/2023/03/07/cisa-adds-three-known-exploited-vulnerabilities-catalog