Lightning-fast cluster computing

Reporting Security Issues

Apache Spark uses the standard process outlined by the Apache Security Team for reporting vulnerabilities.

If you need to report a possible security vulnerability, please email This is a non-public list that will reach the Spark PMC. Messages to will also reach the PMC.

Known Security Issues

CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Versions of Apache Spark before 2.2.0

Description: It is possible for an attacker to take advantage of a user’s trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.

Mitigation: Update to Apache Spark 2.2.0 or later.

Example: Request:

GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--

Excerpt from response:

<div class="row-fluid">No running application with ID Content-Type: multipart/related;

Result: In the above payload the BASE64 data decodes as:



  • Mike Kasper, Nicholas Marion
  • IBM z Systems Center for Secure Engineering