You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by "Sean R. Owen" <sr...@apache.org> on 2022/03/09 22:13:51 UTC

CVE-2021-38296: Apache Spark Key Negotiation Vulnerability

Severity: moderate

Description:

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity".

Mitigation:

Update to Apache Spark 3.1.3 or later

Credit:

Steve Weis (Databricks)

Re: CVE-2021-38296: Apache Spark Key Negotiation Vulnerability

Posted by Manu Zhang <ow...@gmail.com>.

Thanks for the clarification, Holden.

However, we maintain our own Spark version and cherry pick critical patches
from the community. It’s not clear which patch we should apply here.

Holden Karau <ho...@pigscanfly.ca>于2022年3月10日 周四上午7:04写道：

> CVEs are generally not mentioned in the release notes or JIRA instead we
> track them at https://spark.apache.org/security.html once they are
> resolved (prior to the resolution the reports goes to
> security@spark.apache.org) to allow the project time to fix the issue
> before public disclosure so there is a fixed version for people to upgrade
> to.
>
> On Wed, Mar 9, 2022 at 2:58 PM Manu Zhang <ow...@gmail.com> wrote:
>
>> Hi Sean,
>>
>> I don't find it in 3.1.3 release notes
>> https://spark.apache.org/releases/spark-release-3-1-3.html. Is it
>> tracked somewhere?
>>
>> On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen <sr...@apache.org> wrote:
>>
>>> Severity: moderate
>>>
>>> Description:
>>>
>>> Apache Spark supports end-to-end encryption of RPC connections via
>>> "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2
>>> and earlier, it uses a bespoke mutual authentication protocol that allows
>>> for full encryption key recovery. After an initial interactive attack, this
>>> would allow someone to decrypt plaintext traffic offline. Note that this
>>> does not affect security mechanisms controlled by
>>> "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled",
>>> "spark.ssl", "spark.ui.strictTransportSecurity".
>>>
>>> Mitigation:
>>>
>>> Update to Apache Spark 3.1.3 or later
>>>
>>> Credit:
>>>
>>> Steve Weis (Databricks)
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe e-mail: dev-unsubscribe@spark.apache.org
>>>
>>>
>
> --
> Twitter: https://twitter.com/holdenkarau
> Books (Learning Spark, High Performance Spark, etc.):
> https://amzn.to/2MaRAG9  <https://amzn.to/2MaRAG9>
> YouTube Live Streams: https://www.youtube.com/user/holdenkarau
>

Re: CVE-2021-38296: Apache Spark Key Negotiation Vulnerability

Posted by Holden Karau <ho...@pigscanfly.ca>.

CVEs are generally not mentioned in the release notes or JIRA instead we
track them at https://spark.apache.org/security.html once they are resolved
(prior to the resolution the reports goes to security@spark.apache.org) to
allow the project time to fix the issue before public disclosure so there
is a fixed version for people to upgrade to.

On Wed, Mar 9, 2022 at 2:58 PM Manu Zhang <ow...@gmail.com> wrote:

> Hi Sean,
>
> I don't find it in 3.1.3 release notes
> https://spark.apache.org/releases/spark-release-3-1-3.html. Is it tracked
> somewhere?
>
> On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen <sr...@apache.org> wrote:
>
>> Severity: moderate
>>
>> Description:
>>
>> Apache Spark supports end-to-end encryption of RPC connections via
>> "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2
>> and earlier, it uses a bespoke mutual authentication protocol that allows
>> for full encryption key recovery. After an initial interactive attack, this
>> would allow someone to decrypt plaintext traffic offline. Note that this
>> does not affect security mechanisms controlled by
>> "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled",
>> "spark.ssl", "spark.ui.strictTransportSecurity".
>>
>> Mitigation:
>>
>> Update to Apache Spark 3.1.3 or later
>>
>> Credit:
>>
>> Steve Weis (Databricks)
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe e-mail: dev-unsubscribe@spark.apache.org
>>
>>

-- 
Twitter: https://twitter.com/holdenkarau
Books (Learning Spark, High Performance Spark, etc.):
https://amzn.to/2MaRAG9  <https://amzn.to/2MaRAG9>
YouTube Live Streams: https://www.youtube.com/user/holdenkarau

Re: CVE-2021-38296: Apache Spark Key Negotiation Vulnerability

Posted by Manu Zhang <ow...@gmail.com>.

Hi Sean,

I don't find it in 3.1.3 release notes
https://spark.apache.org/releases/spark-release-3-1-3.html. Is it tracked
somewhere?

On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen <sr...@apache.org> wrote:

> Severity: moderate
>
> Description:
>
> Apache Spark supports end-to-end encryption of RPC connections via
> "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2
> and earlier, it uses a bespoke mutual authentication protocol that allows
> for full encryption key recovery. After an initial interactive attack, this
> would allow someone to decrypt plaintext traffic offline. Note that this
> does not affect security mechanisms controlled by
> "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled",
> "spark.ssl", "spark.ui.strictTransportSecurity".
>
> Mitigation:
>
> Update to Apache Spark 3.1.3 or later
>
> Credit:
>
> Steve Weis (Databricks)
>
>
> ---------------------------------------------------------------------
> To unsubscribe e-mail: dev-unsubscribe@spark.apache.org
>
>