Apache has released security patches to address vulnerabilities in Apache CloudStack, Apache Spark, Apache Hive, and Apache SkyWalking.
The remote attacker could exploit some of these vulnerabilities to take control of the affected system, execute commands or cause a denial of service.
Sample of the addressed vulnerabilities:
- Apache CloudStack XML external entity (CVE-2022-35741):
Apache CloudStack is vulnerable to XML external entity processing, caused by a flaw when the SAML 2.0 authentication Service Provider plugin is enabled. The attacker can use this vulnerability to read arbitrary files, cause a denial of service condition, or perform server-side request forgery (SSRF) attacks on the CloudStack management server by sending specially-crafted XML data during the authentication flow.
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
- Apache Spark command execution (CVE-2022-33891):
Apache Spark could allow the remote authenticated attacker to execute arbitrary commands on the system caused by improper input validation of code path in HttpSecurityFilter when ACSs are enabled. The attacker could exploit this vulnerability to execute arbitrary shell commands in the context of Spark users by sending a specially-crafted request using an arbitrary user name.- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
- CVE-2022-35741
- CVE-2022-33891
- CVE-2022-36127
- CVE-2021-34538
Mitigations
The enterprise should deploy the patches as soon as the testing phase is completed.
Apache CloudStack
Apache Spark
Apache SkyWalking
Apache Hive