CVE-2022-31777 - Exploiting Stored XSS in Apache Spark UI through Malicious Log Messages

Apache Spark is one of the most popular open-source engines for distributed data processing. It’s used in everything from data analysis to machine learning, and its web UI is often accessed by developers, admins, and analysts. But in 2022, a serious stored XSS (Cross-Site Scripting) vulnerability was discovered that could let hackers execute JavaScript in the browsers of anyone looking at Spark’s web-facing logs. In this post, we’ll break down what CVE-2022-31777 is, see how the exploit works, and show proof-of-concept code you can use for testing (responsibly!).

Background: Apache Spark & The UI

Apache Spark includes a built-in web UI to help monitor jobs, stages, executors, and show application logs. These logs are crucial for troubleshooting and performance monitoring, but sometimes, user-controlled inputs can end up in the logs (e.g., from job names, error messages, or data processed).

Vulnerability Details (CVE-2022-31777)

Summary:  
A stored XSS issue exists in Apache Spark 3.2.1 and earlier, and 3.3.. By injecting a crafted JavaScript payload into log messages, an attacker can execute arbitrary code in the browser of any user who opens the Spark UI and views those logs. This can be done remotely if the attacker has a way to push malicious content to the logs (e.g., via job submission or malformed data).

References

- NVD - CVE-2022-31777
- Apache Spark JIRA - SPARK-39304
- Apache Security Advisory

How does an attacker inject the payload?

There are several ways. For example, if a user submits a job with a malicious string as the job name, or uploads data that generates errors containing JavaScript code, those strings may end up displayed in the UI logs—unfiltered.

Suppose a user submits a job with this payload as the job name

"><script>alert('XSS in Spark!')</script>

When this job is displayed in the Spark UI (say, under "Applications"), this script will run in the browser of whoever loads that page.

Step 1: Submit a Job with Malicious Name

For demonstration, imagine you're using PySpark. You can submit a Spark job with a specially crafted name like this:

from pyspark.sql import SparkSession

malicious_name = '"><script>alert("XSS in Spark!")</script>'

spark = SparkSession.builder \
    .appName(malicious_name) \
    .getOrCreate()

df = spark.range(1,5)
df.show()

Run the code above.

2. Go to your Spark UI (usually at http://localhost:404).

The script block will execute and display an alert.

If you’re using a shared Spark cluster, this can affect anyone viewing the UI.

More Realistic Attack Scenario

Let's say the attacker submits data containing a malicious string. During processing, an exception is raised, logging the errant input. If Spark logs user input verbatim, the payload ends up in logs. When admins view logs in the UI, XSS executes.

Malicious data row:  

foo","bar");alert('pwned');//"

Faulty code that processes logs message

try:
    risky_processing(user_input)
except Exception as e:
    spark._jvm.org.apache.log4j.Logger.getLogger("custom").error(str(e))

If user_input contains the payload, and is logged without escaping HTML, there’s XSS.

Mitigation & Patch

- Patched in Apache Spark 3.3.1 and 3.2.2 (release notes)
- The patch ensures log output is properly escaped before rendering in the UI (typically via HTML encoding).

Sanitize any user-supplied data that could end up in logs.

3. Restrict access to Spark’s web UI, use strong authentication, and avoid exposing it to the internet.

References & Further Reading

- Apache Spark Security Advisories
- NVD Entry for CVE-2022-31777
- Patch Commit on GitHub
- What is Stored XSS? (OWASP)

Final Words

CVE-2022-31777 is a classic example of how even trusted back-end logs can become an attack vector in modern web applications. If you run Apache Spark (especially older versions), make sure to update as soon as possible, and always treat anything rendered to a UI—especially logs—with suspicion. If you’re a penetration tester or developer, try submitting code like the snippet above in your own environment to test (just don’t do it on someone else's cluster without permission!).

Stay safe, and keep your clusters secure!

*Exclusive writeup by [ChatGPT Security Insights – June 2024]*

Timeline

Published on: 11/01/2022 16:15:00 UTC
Last modified on: 11/29/2022 17:58:00 UTC