CVE-2021-38296

moderate-risk

Published 2022-03-10

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later

Do I need to act?

0.85% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (3)

Spark

Financial Services Crime And Compliance Management Studio

Affected Vendors

Apache Oracle

References (4)

Mailing List https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Mailing List https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 9/34 · Low