CVE-2021-38296
Last modified
CVE-2021-38296 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. EPSS estimates a 1.82% chance of exploitation in the next 30 days.
Description
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Spark | < 3.1.3 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
References
- https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smdMailing List, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smdMailing List, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-38296?
How severe is CVE-2021-38296?
How do I fix CVE-2021-38296?
Are you affected by CVE-2021-38296?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST