This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push: new 1569fce Add notice for CVE-2021-38296 1569fce is described below commit 1569fcefeb8b6deba7270acc928a27ee678b6118 Author: Sean Owen <sro...@gmail.com> AuthorDate: Wed Mar 9 16:11:18 2022 -0600 Add notice for CVE-2021-38296 Author: Sean Owen <sro...@gmail.com> Closes #382 from srowen/CVE-2021-38296. --- security.md | 27 +++++++++++++++++++++++++++ site/security.html | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/security.md b/security.md index dc9a9e6..32bbb74 100644 --- a/security.md +++ b/security.md @@ -18,6 +18,33 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span class="tm">™</span> Key Negotiation Vulnerability</h3> + +Severity: Medium + +Vendor: The Apache Software Foundation + +Versions Affected: + +- Apache Spark 3.1.2 and earlier + +Description: + +Apache Spark supports end-to-end encryption of RPC connections via `spark.authenticate` and `spark.network.crypto.enabled`. +In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key +recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. +Note that this does not affect security mechanisms controlled by `spark.authenticate.enableSaslEncryption`, +`spark.io.encryption.enabled`, `spark.ssl`, `spark.ui.strictTransportSecurity`. + +Mitigation: + +- Update to Spark 3.1.3 or later + +Credit: + +- Steve Weis (Databricks) + + <h3 id="CVE-2020-9480">CVE-2020-9480: Apache Spark<span class="tm">™</span> RCE vulnerability in auth-enabled standalone master</h3> Severity: Important diff --git a/site/security.html b/site/security.html index ff3de6c..be0a8d8 100644 --- a/site/security.html +++ b/site/security.html @@ -155,6 +155,38 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2021-38296">CVE-2021-38296: Apache Spark<span class="tm">™</span> Key Negotiation Vulnerability</h3> + +<p>Severity: Medium</p> + +<p>Vendor: The Apache Software Foundation</p> + +<p>Versions Affected:</p> + +<ul> + <li>Apache Spark 3.1.2 and earlier</li> +</ul> + +<p>Description:</p> + +<p>Apache Spark supports end-to-end encryption of RPC connections via <code class="language-plaintext highlighter-rouge">spark.authenticate</code> and <code class="language-plaintext highlighter-rouge">spark.network.crypto.enabled</code>. +In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key +recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. +Note that this does not affect security mechanisms controlled by <code class="language-plaintext highlighter-rouge">spark.authenticate.enableSaslEncryption</code>, +<code class="language-plaintext highlighter-rouge">spark.io.encryption.enabled</code>, <code class="language-plaintext highlighter-rouge">spark.ssl</code>, <code class="language-plaintext highlighter-rouge">spark.ui.strictTransportSecurity</code>.</p> + +<p>Mitigation:</p> + +<ul> + <li>Update to Spark 3.1.3 or later</li> +</ul> + +<p>Credit:</p> + +<ul> + <li>Steve Weis (Databricks)</li> +</ul> + <h3 id="CVE-2020-9480">CVE-2020-9480: Apache Spark<span class="tm">™</span> RCE vulnerability in auth-enabled standalone master</h3> <p>Severity: Important</p> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org