5 matches found
Apache Spark has Inadequate Encryption Strength
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true it is set to false by default, but...
CVE-2025-55039
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true it is set to false by default, but...
CVE-2025-55039
CVE-2025-55039 affects Apache Spark prior to 3.4.4, 3.5.2 and 4.0.0. When spark.network.crypto.enabled is true (default false) and spark.network.crypto.cipher is not configured, Spark uses AES/CTR/NoPadding for RPC traffic, enabling encryption without authentication. A MITM could flip bits in cip...
CVE-2025-55039 Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true it is set to false by default, but...
OESA-2022-1591 spark security update
Apache Spark achieves high performance for both batch and streaming data, using a state-of-the-art DAG scheduler, a query optimizer, and a physical execution engine. Security Fixes: Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and...