CVE-2019-10099

Vulnerability

Overview

CVE-2019-10099 affects Apache Spark versions before 2.3.3. The issue is that user data is written to local disk without encryption even when the configuration spark.io.encryption.enabled=true is set [1]. This occurs in specific operations: cached blocks that are evicted to disk (controlled by spark.maxRemoteBlockSizeFetchToMem), during parallelize in SparkR, during broadcast and parallelize in PySpark, and when using Python UDFs [1]. The root cause is that the encryption setting is not consistently applied to all disk write paths.

Exploitation

Prerequisites

The vulnerability requires an attacker to have access to the local disk of the Spark worker nodes. In shared or multi-tenant environments, an adversary with local file system access (or ability to read from disk after the data is written) could potentially read unencrypted cached blocks, broadcast variables, and intermediate data from Python UDFs [2]. No network-level attack is necessary; the attacker must be able to read the filesystem or memory of the Spark worker.

Impact

An attacker who gains access to the local disk can recover sensitive user data that was intended to be encrypted. This includes cached RDDs, broadcast data, and temporary files created during PySpark and SparkR operations. The lack of encryption undermines compliance with data protection requirements and exposes confidential information [1].

Mitigation

Users should upgrade to Apache Spark 2.3.3 or later, which ensures that encryption is applied consistently to all disk writes when spark.io.encryption.enabled=true is set [1]. For environments that cannot upgrade immediately, consider restricting local disk access on worker nodes or using encrypted file systems as a workaround. No evidence of active exploitation in the wild has been reported at the time of disclosure.