Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Sigma rule (View on GitHub)
1title: Apache Spark Shell Command Injection - ProcessCreation
2id: c8a5f584-cdc8-42cc-8cce-0398e4265de3
3status: test
4description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
5references:
6 - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
7 - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
8 - https://github.com/apache/spark/pull/36315/files
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-07-20
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - cve.2022-33891
15 - detection.emerging-threats
16logsource:
17 product: linux
18 category: process_creation
19detection:
20 selection:
21 ParentImage|endswith: '\bash'
22 CommandLine|contains:
23 - 'id -Gn `'
24 - "id -Gn '"
25 condition: selection
26falsepositives:
27 - Unlikely
28level: high
References
-
cve-2022-33891-poc. Contribute to W01fh4cker/cve-2022-33891 development by creating an account on GitHub.
Read More -
CVE-2022-33891 Apache Spark shell command injection 前言 漏洞公告:https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc 影响版本:Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, a...
Read More -
What changes were proposed in this pull request? This PR proposes to avoid using bash -c in ShellBasedGroupsMappingProvider. This could allow users a command injection. Why are the changes needed? ...
Read More
Related rules
- Apache Spark Shell Command Injection - Weblogs
- Atlassian Confluence CVE-2022-26134
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647
- Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
- Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process