Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Sigma rule (View on GitHub)
1title: Apache Spark Shell Command Injection - ProcessCreation
2id: c8a5f584-cdc8-42cc-8cce-0398e4265de3
3status: test
4description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
5references:
6 - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
7 - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
8 - https://github.com/apache/spark/pull/36315/files
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/20
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - cve.2022.33891
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 ParentImage|endswith: '\bash'
21 CommandLine|contains:
22 - 'id -Gn `'
23 - "id -Gn '"
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
-
cve-2022-33891-poc. Contribute to W01fh4cker/cve-2022-33891 development by creating an account on GitHub.
Read More -
CVE-2022-33891 Apache Spark shell command injection 前言 漏洞公告:https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc 影响版本:Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, a...
Read More -
What changes were proposed in this pull request? This PR proposes to avoid using bash -c in ShellBasedGroupsMappingProvider. This could allow users a command injection. Why are the changes needed? ...
Read More
Related rules
- Atlassian Confluence CVE-2022-26134
- DNS Query to External Service Interaction Domains
- OMIGOD SCX RunAsProvider ExecuteScript
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd