CVE-2021-38296
Summary
| CVE | CVE-2021-38296 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-03-10 09:15:00 UTC |
| Updated | 2023-02-09 02:02:00 UTC |
| Description | Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later |
Risk And Classification
Problem Types: CWE-294
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Spark | All | All | All | All |
| Application | Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 | All | All | All |
| Application | Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 | All | All | All |
| Application | Readdle | Spark | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| N/A | CONFIRM | lists.apache.org | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Steve Weis (Databricks)
There are currently no legacy QID mappings associated with this CVE.