Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Sigma rule (View on GitHub)
1title: Apache Spark Shell Command Injection - Weblogs
2id: 1a9a04fd-02d1-465c-abad-d733fd409f9c
3status: test
4description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
5references:
6 - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
7 - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
8 - https://github.com/apache/spark/pull/36315/files
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/19
11modified: 2023/01/02
12tags:
13 - attack.initial_access
14 - attack.t1190
15 - cve.2022.33891
16 - detection.emerging_threats
17logsource:
18 category: webserver
19detection:
20 selection:
21 cs-uri-query|contains: '?doAs=`'
22 condition: selection
23falsepositives:
24 - Web vulnerability scanners
25level: high
References
-
cve-2022-33891-poc. Contribute to W01fh4cker/cve-2022-33891 development by creating an account on GitHub.
Read More -
CVE-2022-33891 Apache Spark shell command injection 前言 漏洞公告:https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc 影响版本:Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, a...
Read More -
What changes were proposed in this pull request? This PR proposes to avoid using bash -c in ShellBasedGroupsMappingProvider. This could allow users a command injection. Why are the changes needed? ...
Read More
Related rules
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2021-41773 Exploitation Attempt
- CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
- CVE-2022-31659 VMware Workspace ONE Access RCE
- Log4j RCE CVE-2021-44228 in Fields