CVE-2021-38296: Authentication Bypass by Capture-replay in Apache Spark

March 11, 2022 (updated October 25, 2024)

Apache Spark supports end-to-end encryption of RPC connections via “spark.authenticate” and “spark.network.crypto.enabled”. In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by “spark.authenticate.enableSaslEncryption”, “spark.io.encryption.enabled”, “spark.ssl”, “spark.ui.strictTransportSecurity”. Update to Apache Spark 3.1.3 or later

References

github.com/advisories/GHSA-9rr6-jpg7-9jg6
github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yaml
lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd
nvd.nist.gov/vuln/detail/CVE-2021-38296
www.oracle.com/security-alerts/cpujul2022.html

Detect and mitigate CVE-2021-38296 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →