Security Advisory 2022-058

Release Date:

Critical Shell Command Injection Vulnerability in Apache Spark



  • 03/08/2022 --- v1.0 -- Initial publication


On July 18, Apache Spark released a security bulletin [1] regarding a newly found critical vulnerability within Apache Spark's ACL implementation, tracked as CVE-2022-33891 and with a CVSS score of 8.8 out of 10. The flaw was discovered by a security researcher, with the proof of concept (PoC) exploit already available on GitHub [2] and exploitation attempts in the wild being detected since, at least, July 26th.

Apache Spark is an open-source, unified engine for large-scale data analytics, which executes data engineering, data science, and machine learning tasks. Additionally, it provides high-level APIs in multiple programming languages[3].

Technical Details

The flaw could allow adversaries to perform arbitrary shell command execution as a current Spark user. The issue stems from the Apache Spark UI ability to enable ACLs via the configuration option spark.acls.enable.

If ACLs are enabled, a HttpSecurityFilter code path allows adversaries to perform impersonation by providing an arbitrary user name. In case of success, an attacker will be able to reach a permission check function, which will allow them to launch a Unix shell command. This eventually leads to the arbitrary shell command execution.

Affected Products

The following Apache Spark versions are affected by this flaw:

  • 3.0.3 and earlier
  • 3.1.1 to 3.1.2
  • 3.2.0 to 3.2.1


To ensure your instances are protected from exploitation attempts, it is highly recommended to upgrade to Apache Spark maintenance release:

  • 3.1.3
  • 3.2.2
  • 3.3.0 or later





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.