← Back

CVE-2021-38296

nvd nist
Published: Mar 10, 2022Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later

Affected (3)

Apache
1 product
Spark
Oracle
1 product
Financial Services Crime And Compliance Management Studio
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Spark
Before 3.1.3
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Financial Services Crime And Compliance Management Studio
Version 8.0.8.2.0
Financial Services Crime And Compliance Management Studio
Version 8.0.8.3.0

Related CWEs

CWE-294
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

References (4)

Source: security@apache.org
Mailing ListVendor Advisory
Source: security@apache.org
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory

Timeline

No history available yet.