CVE-2021-38296

CWE-2947 documents6 sources

Severity

7.5HIGH

EPSS

0.9%

top 25.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Spark Apache Software Foundation Apache Spark Oracle Financial Services Crime AND Compliance Management Studio

Timeline

PublishedMar 10

Latest updateJul 15

Description

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl"…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDapache/spark< 3.1.3

▶Mavenorg.apache.spark:spark-core< 3.1.3

▶CVEListV5apache_software_foundation/apache_sparkup to and including version 3.1.2 — 3.1.2

▶PyPIpyspark< 3.1.3

▶NVDoracle/financial_services_crime_and_compliance_management_studio8.0.8.2.0, 8.0.8.3.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Authentication Bypass by Capture-replay in Apache Spark↗2022-03-11

▶

GHSA

Authentication Bypass by Capture-replay in Apache Spark↗2022-03-11

▶

OSV

CVE-2021-38296: Apache Spark supports end-to-end encryption of RPC connections via "spark↗2022-03-10

▶

CVEList

Apache Spark Key Negotiation Vulnerability↗2022-03-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Studio (Apache Spark) — CVE-2021-38296↗2022-07-15

▶

Apache

Apache spark: CVE-2021-38296↗

▶