CVE-2022-33891: 
Java vulnerability analysis and mitigation

The Apache Spark UI vulnerability (CVE-2022-33891) was discovered in July 2022, affecting Apache Spark's access control functionality. The vulnerability exists in the ACLs feature enabled via the spark.acls.enable configuration option. This security flaw affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. The vulnerability was reported by security researcher Kostya Kortchinsky from Databricks (Security Online).

The vulnerability allows an attacker to perform user impersonation through a code path in HttpSecurityFilter when ACLs are enabled. The flaw enables a malicious user to reach a permission check function that constructs and executes Unix shell commands based on user input. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

When successfully exploited, this vulnerability results in arbitrary shell command execution with the privileges of the user running the Spark service. This could lead to complete system compromise, allowing attackers to execute unauthorized commands, access sensitive data, and potentially gain control over the affected system (CVE).

Users are recommended to upgrade Apache Spark to version 3.1.3, 3.2.2, or 3.3.0 or later to address this vulnerability. The fix has been implemented in these versions to prevent the shell command injection attack vector (Security Online).