CVE-2021-38296

HIGH

Apache Spark <3.1.2 - Info Disclosure

Title source: llm

Description

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5

EPSS 0.0085

EPSS Percentile 74.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-294

Status published

Affected Products (5)

apache/spark < 3.1.3

oracle/financial_services_crime_and_compliance_management_studio

org.apache.spark/spark-core < 3.1.3Maven

pypi/pyspark < 3.1.3PyPI

Timeline

Published Mar 10, 2022

Tracked Since Feb 18, 2026