Vulnerability Description
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Spark | < 3.1.3 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smdMailing ListVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smdMailing ListVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-38296?
CVE-2021-38296 is a vulnerability with a CVSS score of 7.5 (HIGH). Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication proto...
How severe is CVE-2021-38296?
CVE-2021-38296 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-38296?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Spark, Oracle Financial Services Crime And Compliance Management Studio.