We use cookies to improve your experience on our site.
AVID-2026-R0880
Description
Apache Spark Key Negotiation Vulnerability (CVE-2021-38296)
Details
Apache Spark supports end-to-end encryption of RPC connections via “spark.authenticate” and “spark.network.crypto.enabled”. In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by “spark.authenticate.enableSaslEncryption”, “spark.io.encryption.enabled”, “spark.ssl”, “spark.ui.strictTransportSecurity”. Update to Apache Spark 3.1.3 or later
Reason for inclusion in AVID: CVE-2021-38296 describes a Spark authentication key negotiation vulnerability that allows capture-replay-based authentication bypass and decryption of traffic. Apache Spark is a core data processing framework frequently used in AI/ML pipelines for data ingestion/processing; vulnerabilities in Spark affect the software stack used to build/train/deploy AI systems, hence within the AI supply chain. The issue is a software security vulnerability with clear affected versions and remediation guidance, as evidenced by the CVE/NVD sources provided.
References
- NVD entry
- https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Spark |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-294 | CWE-294 Authentication Bypass by Capture-replay |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-03-10
- Version: 0.3.3
- AVID Entry