spark-network-common is vulnerable to remote code execution. The vulnerability exists it is possible to create a RPC request to start an application’s resources on the Spark cluster without the need of a shared key, allowing it to be leveraged for running shell commands.
github.com/apache/spark/commit/9416b7c54bdf5613c1a65e6d1779a87591c6c9bd
github.com/apache/spark/commit/c80d5f7aa0fd9e7b37e1bf4175204750098a44a6
lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b@%3Cuser.spark.apache.org%3E
lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b@%3Ccommits.doris.apache.org%3E
lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d@%3Ccommits.submarine.apache.org%3E
lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2@%3Cdev.spark.apache.org%3E
seclists.org/oss-sec/2020/q2/205
spark.apache.org/security.html#CVE-2020-9480
www.oracle.com/security-alerts/cpuApr2021.html