Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05cnI2LWpwZzctOWpnNs0yFQ
Authentication Bypass by Capture-replay in Apache Spark
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
Permalink: https://github.com/advisories/GHSA-9rr6-jpg7-9jg6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cnI2LWpwZzctOWpnNs0yFQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-9rr6-jpg7-9jg6, CVE-2021-38296
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-38296
- https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd
- https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yaml
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-9rr6-jpg7-9jg6
Affected Packages
pypi:pyspark
Dependent packages: 488Dependent repositories: 6,227
Downloads: 29,032,123 last month
Affected Version Ranges: < 3.1.3
Fixed in: 3.1.3
All affected versions: 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2
All unaffected versions: 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1
maven:org.apache.spark:spark-core
Affected Version Ranges: < 3.1.3Fixed in: 3.1.3