Apache Spark Key Negotiation Vulnerability
Description
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Spark 3.1.2 and earlier uses a bespoke mutual authentication protocol allowing full encryption key recovery and offline decryption of RPC traffic.
Vulnerability
Apache Spark supports end-to-end encryption of RPC connections via spark.authenticate and spark.network.crypto.enabled. In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery [1][2][3]. This vulnerability does not affect security mechanisms controlled by spark.authenticate.enableSaslEncryption, spark.io.encryption.enabled, spark.ssl, or spark.ui.strictTransportSecurity [1].
Exploitation
An attacker must first perform an interactive attack to recover the encryption key, after which they can decrypt plaintext traffic offline [1]. The exact steps depend on network position; a man-in-the-middle or traffic capture is required [2].
Impact
Successful exploitation allows an attacker to recover the full encryption key and decrypt RPC traffic offline, leading to disclosure of sensitive data transmitted over RPC connections [1][2].
Mitigation
Update to Apache Spark 3.1.3 or later [1]. No workarounds are currently available; users must apply the patch [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-coreMaven | < 3.1.3 | 3.1.3 |
pysparkPyPI | < 3.1.3 | 3.1.3 |
Affected products
4- osv-coords3 versions
< 3.1.3+ 2 more
- (no CPE)range: < 3.1.3
- (no CPE)range: < 3.1.3
- (no CPE)range: < 3.1.3
- Apache Software Foundation/Apache Sparkv5Range: up to and including version 3.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-9rr6-jpg7-9jg6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38296ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yamlghsaWEB
- lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smdghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.