CVE-2022-33891 Detection: New Apache Spark Shell Command Injection Vulnerability

CVE-2022-33891 Detection

According to the latest SOC Prime’s Detection as Code Innovation report, proactive detection of vulnerability exploitation remains one of the top 3 security use cases throughout 2021-2022, which resonates with a growing number of revealed vulnerabilities affecting open-source products. The cybersecurity researcher has recently revealed a new vulnerability in Apache Spark, an open-source unified analytics engine for large-scale data processing. The newly discovered vulnerability is tracked as CVE-2022-33891 with the proof-of-concept (PoC) exploit already available on GitHub. On July 18, 2022, Apache Spark issued the security bulletin detailing this vulnerability, which is considered critical. The revealed flaw affects Apache Spark versions 3.0.3 and earlier, enabling attackers to execute an arbitrary shell command. 

Detect CVE-2022-22891 Exploitation Attempts

Cyber defenders are welcome to take advantage of SOC Prime’s platform and obtain the dedicated Sigma rule to timely detect exploitation attempts of a new critical vulnerability in Apache Spark. This newly released detection for CVE-2022-33891 vulnerability exploitation has been crafted by our prolific Threat Bounty Program developer Onur Atali and is already available for registered SOC Prime users:

CVE-2022-33891 Apache Spark Shell Command Injection Vulnerability

Seasoned individual researchers and aspiring detection content authors striving to make their own contribution to collaborative cyber defense can join Threat Bounty Program and share their Sigma and YARA rules with industry peers while monetizing their input. 

The above-mentioned Sigma rule is available for 18+ industry-leading SIEMs, EDRs, and XDRs, including cloud-native and on-premise solutions. For improved threat visibility, the detection content item is aligned with the MITRE ATT&CK® framework addressing the Initial Access tactic with the Exploit Public-Facing Application (T1190) as the primary technique. 

Keeping up with the ever-evolving threat landscape is a pressing challenge for all cyber defenders considering the rising volumes of attacks and enhanced sophistication of adversary tools. In addition, a growing number of exploits impacting open-source solutions exposes thousands of organizations worldwide to severe threats. SOC Prime’s platform provides a broad collection of Sigma rules addressing the “Proactive Exploit Detection” use case to help organizations effectively defend against related threats. Click the Detect & Hunt button to access the entire list of dedicated detection algorithms that can be instantly converted to 25+ SIEM, EDR, and XDR solutions. 

Looking for the fastest way to search for command injection vulnerabilities and instantly gain relevant threat context? Browse SOC Prime to reach all the relevant contextual information with MITRE ATT&CK references, CTI links, and more insightful metadata at a sub-second search performance — just click the Explore Threat Context button below.

Detect & Hunt Explore Threat Context

CVE-2022-33891 Analysis

Apache Spark provides high-level APIs in multiple programming languages, including Scala, Java, and Python. Additionally, it supports a variety of high-level toolings, such as Spark SQL for SQL and DataFrames, MLlib for machine learning, and more. 

The recently-revealed flaw in Apache Spark (CVE-2022-33891) was reported by Kostya Kortchinsky, the cybersecurity researcher from Databricks. This flaw with a critical severity rating enables adversaries to perform arbitrary shell command execution as a current Spark user. The security issue stems from the Spark UI ability to enable Active Control Lists (ACLs) via the sparks.acls.enable option. In case ACLs are enabled, a HttpSecurityFilter code path provides the ability to impersonate by serving an arbitrary user name. In case of success, an adversary can reach a permission check function to launch a Unix shell command. This will eventually result in arbitrary shell command execution. Since the PoC exploit is already available via GitHub, Spark users are urged to upgrade their instances as soon as possible.

The glitch impacts the Apache Spark version 3.0.3 and earlier, as well as 3.1.1 to 3.1.2 and 3.2.0 to 3.2.1. To ensure your instances are protected from possible exploitation attempts, it is highly recommended to upgrade to Apache Spark 3.1.3, 3.2.2, or 3.3.0 maintenance release.

Stay ahead of emerging threats and increase your cybersecurity posture by leveraging SOC Prime’s Detection as Code platform fueled by the power of collaborative cyber defense. Gain access to high-fidelity alerts and top threat hunting queries recommended by the global community of 23,000+ cybersecurity professionals by applying the Smoking Guns Sigma Rules list that any SOC team should have at their disposal.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts