[spark-website] branch asf-site updated: Add notice for CVE-2021-38296

[sr...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

srowen pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/spark-website.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 1569fce  Add notice for CVE-2021-38296
1569fce is described below

commit 1569fcefeb8b6deba7270acc928a27ee678b6118
Author: Sean Owen <sr...@gmail.com>
AuthorDate: Wed Mar 9 16:11:18 2022 -0600

    Add notice for CVE-2021-38296
    
    Author: Sean Owen <sr...@gmail.com>
    
    Closes #382 from srowen/CVE-2021-38296.
---
 security.md        | 27 +++++++++++++++++++++++++++
 site/security.html | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/security.md b/security.md
index dc9a9e6..32bbb74 100644
--- a/security.md
+++ b/security.md
@@ -18,6 +18,33 @@ non-public list that will reach the Apache Security team, as well as the Spark P
 
 <h2>Known security issues</h2>
 
+<h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span class="tm">&trade;</span> Key Negotiation Vulnerability</h3>
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Apache Spark 3.1.2 and earlier
+
+Description:
+
+Apache Spark supports end-to-end encryption of RPC connections via `spark.authenticate` and `spark.network.crypto.enabled`. 
+In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key 
+recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. 
+Note that this does not affect security mechanisms controlled by `spark.authenticate.enableSaslEncryption`, 
+`spark.io.encryption.enabled`, `spark.ssl`, `spark.ui.strictTransportSecurity`.
+
+Mitigation:
+
+- Update to Spark 3.1.3 or later
+
+Credit:
+
+- Steve Weis (Databricks)
+
+
 <h3 id="CVE-2020-9480">CVE-2020-9480: Apache Spark<span class="tm">&trade;</span> RCE vulnerability in auth-enabled standalone master</h3>
 
 Severity: Important
diff --git a/site/security.html b/site/security.html
index ff3de6c..be0a8d8 100644
--- a/site/security.html
+++ b/site/security.html
@@ -155,6 +155,38 @@ non-public list that will reach the Apache Security team, as well as the Spark P
 
 <h2>Known security issues</h2>
 
+<h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span class="tm">&trade;</span> Key Negotiation Vulnerability</h3>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<ul>
+  <li>Apache Spark 3.1.2 and earlier</li>
+</ul>
+
+<p>Description:</p>
+
+<p>Apache Spark supports end-to-end encryption of RPC connections via <code class="language-plaintext highlighter-rouge">spark.authenticate</code> and <code class="language-plaintext highlighter-rouge">spark.network.crypto.enabled</code>. 
+In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key 
+recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. 
+Note that this does not affect security mechanisms controlled by <code class="language-plaintext highlighter-rouge">spark.authenticate.enableSaslEncryption</code>, 
+<code class="language-plaintext highlighter-rouge">spark.io.encryption.enabled</code>, <code class="language-plaintext highlighter-rouge">spark.ssl</code>, <code class="language-plaintext highlighter-rouge">spark.ui.strictTransportSecurity</code>.</p>
+
+<p>Mitigation:</p>
+
+<ul>
+  <li>Update to Spark 3.1.3 or later</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+  <li>Steve Weis (Databricks)</li>
+</ul>
+
 <h3 id="CVE-2020-9480">CVE-2020-9480: Apache Spark<span class="tm">&trade;</span> RCE vulnerability in auth-enabled standalone master</h3>
 
 <p>Severity: Important</p>

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org