Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05cnI2LWpwZzctOWpnNs0yFQ

Authentication Bypass by Capture-replay in Apache Spark

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later

Permalink: https://github.com/advisories/GHSA-9rr6-jpg7-9jg6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cnI2LWpwZzctOWpnNs0yFQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 5 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-9rr6-jpg7-9jg6, CVE-2021-38296
References:

Blast Radius: 29.5

Affected Packages

pypi:pyspark

Dependent packages: 488
Dependent repositories: 6,227
Downloads: 29,032,123 last month
Affected Version Ranges: < 3.1.3
Fixed in: 3.1.3
All affected versions: 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2
All unaffected versions: 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1

maven:org.apache.spark:spark-core

Affected Version Ranges: < 3.1.3
Fixed in: 3.1.3