Document new security vulnerability in Apache Spark

security.md

@@ -59,6 +59,31 @@ before loading or deploying a model.
 
 <h2>Known security issues</h2>
 
+<h3 id="CVE-2025-55039">CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks</h3>
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Versions prior to 3.4.4, 3.5.2 and 4.0.0
+
+Description:
+
+Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
+When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
+This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
+
+Mitigation:
+
+- Either configure `spark.network.crypto.cipher` to "AES/GCM/NoPadding" to enable authenticated encryption or enable SSL encryption by setting both `spark.ssl.enabled` and `spark.ssl.rpc.enabled` to "true", which provides stronger transport security.
+
+Credit:
+
+- Holden Karau
+
+
 <h3 id="CVE-2023-32007">CVE-2023-32007: Apache Spark shell command injection vulnerability via Spark UI</h3>
 
 This CVE is only an update to [CVE-2022-33891](#CVE-2022-33891) to clarify that version 3.1.3 is also

site/security.html

@@ -205,6 +205,36 @@ <h3>Is loading a machine learning model secure? Who is responsible for model sec
 
 <h2>Known security issues</h2>
 
+<h3 id="CVE-2025-55039">CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks</h3>
+
+<p>Severity: Moderate</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<ul>
+  <li>Versions prior to 3.4.4, 3.5.2 and 4.0.0</li>
+</ul>
+
+<p>Description:</p>
+
+<p>Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
+When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
+This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.</p>
+
+<p>Mitigation:</p>
+
+<ul>
+  <li>Either configure <code class="language-plaintext highlighter-rouge">spark.network.crypto.cipher</code> to &#8220;AES/GCM/NoPadding&#8221; to enable authenticated encryption or enable SSL encryption by setting both <code class="language-plaintext highlighter-rouge">spark.ssl.enabled</code> and <code class="language-plaintext highlighter-rouge">spark.ssl.rpc.enabled</code> to &#8220;true&#8221;, which provides stronger transport security.</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+  <li>Holden Karau</li>
+</ul>
+
 <h3 id="CVE-2023-32007">CVE-2023-32007: Apache Spark shell command injection vulnerability via Spark UI</h3>
 
 <p>This CVE is only an update to <a href="#CVE-2022-33891">CVE-2022-33891</a> to clarify that version 3.1.3 is also

site/sitemap.xml

@@ -1201,15 +1201,15 @@
   <changefreq>weekly</changefreq>
 </url>
 <url>
-  <loc>https://spark.apache.org/graphx/</loc>
+  <loc>https://spark.apache.org/sql/</loc>
   <changefreq>weekly</changefreq>
 </url>
 <url>
   <loc>https://spark.apache.org/streaming/</loc>
   <changefreq>weekly</changefreq>
 </url>
 <url>
-  <loc>https://spark.apache.org/sql/</loc>
+  <loc>https://spark.apache.org/graphx/</loc>
   <changefreq>weekly</changefreq>
 </url>
 <url>