CVE-2019-10099

Name of the Vulnerable Software and Affected Versions: Apache Spark versions prior to 2.3.3

Description: The issue allows user data to be written to local disk unencrypted, despite having spark.io.encryption.enabled set to true. This occurs in specific situations, including when cached blocks are fetched to disk, and when using certain functions in SparkR and Pyspark, such as parallelize, broadcast, and python udfs.

Recommendations: For versions prior to 2.3.3, update to version 2.3.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of spark.maxRemoteBlockSizeFetchToMem and avoiding the use of parallelize and broadcast functions in SparkR and Pyspark until a patch is available. Restrict access to python udfs to minimize the risk of exploitation.