CVE-2021-38296

Name of the Vulnerable Software and Affected Versions Apache Spark versions 3.1.2 and earlier

Description Apache Spark supports end-to-end encryption of RPC connections via spark.authenticate and spark.network.crypto.enabled. In affected versions, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by spark.authenticate.enableSaslEncryption, spark.io.encryption.enabled, spark.ssl, and spark.ui.strictTransportSecurity.

Recommendations Update to Apache Spark 3.1.3 or later. As a temporary workaround, consider restricting the use of the bespoke mutual authentication protocol until a patch is available. Restrict access to the RPC connections to minimize the risk of exploitation. Avoid using the vulnerable protocol in production environments until the issue is resolved.