CVE-2021-38296

HIGH

Apache Spark <3.1.2 - Info Disclosure

Title source: llm

Description

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5

EPSS 0.0085

EPSS Percentile 75.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-294

Status published

Products (5)

apache/spark < 3.1.3

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.2.0

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.3.0

org.apache.spark/spark-core 0 - 3.1.3Maven

pypi/pyspark 0 - 3.1.3PyPI

Published Mar 10, 2022

Tracked Since Feb 18, 2026