Steve Weis

**Name of the Vulnerable Software and Affected Versions** Apache Spark versions 3.1.2 and earlier **Description** Apache Spark supports end-to-end encryption of RPC connections via `spark.authenticate` and `spark.network.crypto.enabled`. In affected versions, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by `spark.authenticate.enableSaslEncryption`, `spark.io.encryption.enabled`, `spark.ssl`, and `spark.ui.strictTransportSecurity`. **Recommendations** Update to Apache Spark 3.1.3 or later. As a temporary workaround, consider restricting the use of the bespoke mutual authentication protocol until a patch is available. Restrict access to the RPC connections to minimize the risk of exploitation. Avoid using the vulnerable protocol in production environments until the issue is resolved.