CVEs are generally not mentioned in the release notes or JIRA instead we track them at https://spark.apache.org/security.html once they are resolved (prior to the resolution the reports goes to secur...@spark.apache.org) to allow the project time to fix the issue before public disclosure so there is a fixed version for people to upgrade to.
On Wed, Mar 9, 2022 at 2:58 PM Manu Zhang <owenzhang1...@gmail.com> wrote: > Hi Sean, > > I don't find it in 3.1.3 release notes > https://spark.apache.org/releases/spark-release-3-1-3.html. Is it tracked > somewhere? > > On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen <sro...@apache.org> wrote: > >> Severity: moderate >> >> Description: >> >> Apache Spark supports end-to-end encryption of RPC connections via >> "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 >> and earlier, it uses a bespoke mutual authentication protocol that allows >> for full encryption key recovery. After an initial interactive attack, this >> would allow someone to decrypt plaintext traffic offline. Note that this >> does not affect security mechanisms controlled by >> "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", >> "spark.ssl", "spark.ui.strictTransportSecurity". >> >> Mitigation: >> >> Update to Apache Spark 3.1.3 or later >> >> Credit: >> >> Steve Weis (Databricks) >> >> >> --------------------------------------------------------------------- >> To unsubscribe e-mail: dev-unsubscr...@spark.apache.org >> >> -- Twitter: https://twitter.com/holdenkarau Books (Learning Spark, High Performance Spark, etc.): https://amzn.to/2MaRAG9 <https://amzn.to/2MaRAG9> YouTube Live Streams: https://www.youtube.com/user/holdenkarau