CVE-2022-33891

What is Apache Spark?

Apache Spark is an open-source, distributed data processing engine widely used for large-scale analytics, machine learning, and stream processing in enterprise data platforms. Spark clusters run across many nodes and expose a web UI for job monitoring. Many organizations run Spark on internal networks with the UI accessible to multiple users. When Access Control Lists (ACLs) are enabled, Spark uses an authentication filter to restrict UI access — but this filter contained the command injection vector.

Overview

CVE-2022-33891 is a command injection vulnerability (CWE-78) in Apache Spark's web UI authentication layer. When ACLs are enabled, Spark's HttpSecurityFilter attempts to resolve user identity from the HTTP request. An attacker with network access and valid low-privilege credentials can inject shell metacharacters into the request that are passed unsanitized to an OS command, resulting in remote code execution on the Spark master or worker node with the permissions of the Spark process (often running as root in containerized environments).

Affected Versions

Note: Only instances with spark.acls.enable=true or spark.ui.filters=… authentication enabled are vulnerable.

Technical Details

The vulnerability is in Spark's UIFilter authentication component. When ACLs are enabled, incoming web requests are processed to extract a doAs username parameter for impersonation. The username value is incorporated into a shell command without proper sanitization, allowing injection of arbitrary OS commands via shell metacharacters (semicolons, pipes, backticks, $() substitutions).

• Authentication required: Low — attacker needs a valid Spark UI session or the endpoint to be network-reachable with credentials
• Attack complexity: Low — straightforward HTTP parameter injection
• Impact: Remote OS command execution as the Spark process user; in many deployments this is root or a high-privilege service account
• Scope: Only affects Spark instances with ACLs enabled — but attackers actively scan for this configuration

Discovery

Reported to the Apache Security Team. Apache published the advisory and fixed versions in July 2022.

Exploitation Context

CISA added this to KEV in March 2023, indicating confirmed exploitation in the wild approximately eight months after the patch. Spark is frequently deployed in enterprise data platform environments (Hadoop, cloud data lakes) that process sensitive business data — making it an attractive target for data exfiltration and ransomware pre-staging. Attackers scan for exposed Spark UIs; those with ACLs enabled and reachable from the internet are the primary targets.

Remediation

1. Upgrade to Apache Spark 3.0.3+, 3.1.3+, 3.2.2+, or 3.3.0+ per your current release branch
2. If upgrading immediately is not possible, disable ACL authentication (spark.acls.enable=false) as a temporary measure — but ensure network-level access controls protect the UI
3. Restrict Spark UI access (typically port 4040/8080) to trusted IP ranges at the network or firewall level — Spark UIs should never be internet-facing
4. Review Spark process user privileges — run Spark as a least-privilege service account, not as root
5. Audit logs for unexpected process execution originating from Spark worker or master processes