Lucene search
PRIOn knowledge basePRION:CVE-2021-38296HistoryMar 10, 2022 - 9:15 a.m.
Authentication flaw
2022-03-1009:15:00
PRIOn knowledge base
www.prio-n.com
3
Apache Spark supports end-to-end encryption of RPC connections via “spark.authenticate” and “spark.network.crypto.enabled”. In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by “spark.authenticate.enableSaslEncryption”, “spark.io.encryption.enabled”, “spark.ssl”, “spark.ui.strictTransportSecurity”. Update to Apache Spark 3.1.3 or later
Related
veracode
veracode
Information Disclosure
2022-03-11 10:49:07
cvelist
cvelist
CVE-2021-38296 Apache Spark Key Negotiation Vulnerability
2022-03-10 08:20:12
cnvd
cnvd
Apache Spark Encryption Problem Vulnerability (CNVD-2022-21823)
2022-03-11 00:00:00
cve
cve
CVE-2021-38296
2022-03-10 09:15:07
osv
osv
Authentication Bypass by Capture-replay in Apache Spark
2022-03-11 00:02:36
CVE-2021-38296
2022-03-10 09:15:07
BIT-spark-2021-38296
2024-03-06 11:05:47
nvd
nvd
CVE-2021-38296
2022-03-10 09:15:07
github
github
Authentication Bypass by Capture-replay in Apache Spark
2022-03-11 00:02:36
ibm
ibm
oracle
oracle
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00