What is CVE-2017-12612?

CVE-2017-12612 is a high-severity vulnerability in Apache Spark, classified under Deserialization of Untrusted Data. CVSS score: 7.8/10. Published 2017-09-13.

How severe is CVE-2017-12612?

High severity. CVSS v3 base score is 7.8 out of 10.

Deserialization in Apache Spark

CVE-2017-12612

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution…

Vulnerability class: Insecure Deserialization

EPSS: 0.007 (49.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.8 (High). Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Spark — versions 1.6.0, 1.6.1, 1.6.2
N/a — versions n/a

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

security@apache.org (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
security@apache.org (Mailing List, x_refsource_MISC, Vendor Advisory)

Frequently asked questions

What is CVE-2017-12612?: CVE-2017-12612 is a high-severity vulnerability in Apache Spark, classified under Deserialization of Untrusted Data. CVSS score: 7.8/10. Published 2017-09-13.
How severe is CVE-2017-12612?: High severity. CVSS v3 base score is 7.8 out of 10.