Document new security vulnerability in Apache Spark

[miqowhy]

Added details about CVE-2025-55039 vulnerability in Apache Spark, including severity, affected versions, descriptions, mitigations, and credit.

Two remarks:

• I've taken the affected versions from @holdenk description, but I think all newer versions are also affected
• For @holdenk 2nd mitigation - I think setting spark.ssl.enabled=true is not enough, you also need spark.ssl.rpc.enabled=true, at least that's what the documentation says

[holdenk]

Thanks for adding this! There's a build step you need to follow the for website changes to be visible.

[miqowhy]

Thanks for the reply, I'll follow the build step.

But in parallel I think we need to clarify the affected versions - I'll be reproducing the CVE to check, but is there any reason why newer versions are not affected by this vulnerability?

Looking at the docs of the latest version it looks like the vulnerable default is still in place.

Or am I missing something?

[holdenk]

So I think https://issues.apache.org/jira/browse/SPARK-47172 indicates that the new config option is recommended for the new versions which if you follow the guidance in security settings is secure.

[miqowhy]

Thanks for adding this! There's a build step you need to follow the for website changes to be visible.

I've run the build step now, hope this is enough

[miqowhy]

Anything preventing us from merging? @holdenk @pan3793