Common Vulnerabilities and Exposures
CVE-2015-3253: The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
Severity: High
Vendor: Hortonworks
Versions Affected: All HDP versions with Spark 1.5 and 1.6. (HDP 2.3.4.7+).
Users Affected: Users whose Apache Spark applications load data files using SparkContext.objectFile().
Impact: See SPARK-13599 If the data file loaded contained a serialized Groovy closure, it is possible to execute code as that user. Therefore, if a Spark job read in a file from an external source/user with lower rights, using the objectFile() API, it would be possible execute code as the user running the spark application.
Recommended Action:
Upgrade to HDP 2.3.6+.
Do not have any versions of Apache Groovy on the classpath of any Spark application —or upgrade to Groovy version 2.4.4+.
Never use java serialization as a storage/exchange mechanism for data. There have been other Java serialization-based attacks in the past; avoiding the use of Java serialization and loading files via the objectFile() method guarantees that this specific vulnerability or any similar one cannot be exploited by maliciously crafted files.