An update for spark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2022-1591
Final
1.0
1.0
2022-03-26
Initial
2022-03-26
2022-03-26
openEuler SA Tool V1.0
2022-03-26
spark security update
An update for spark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.
Apache Spark achieves high performance for both batch and streaming data, using a state-of-the-art DAG scheduler, a query optimizer, and a physical execution engine.
Security Fix(es):
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later(CVE-2021-38296)
An update for spark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
spark
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1591
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-38296
https://nvd.nist.gov/vuln/detail/CVE-2021-38296
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-SP3
spark-3.2.0-1.oe1.aarch64.rpm
spark-3.2.0-1.oe1.aarch64.rpm
spark-3.2.0-1.oe1.aarch64.rpm
spark-3.2.0-1.oe1.src.rpm
spark-3.2.0-1.oe1.src.rpm
spark-3.2.0-1.oe1.src.rpm
spark-3.2.0-1.oe1.x86_64.rpm
spark-3.2.0-1.oe1.x86_64.rpm
spark-3.2.0-1.oe1.x86_64.rpm
Apache Spark supports end-to-end encryption of RPC connections via spark.authenticate and spark.network.crypto.enabled . In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by spark.authenticate.enableSaslEncryption , spark.io.encryption.enabled , spark.ssl , spark.ui.strictTransportSecurity . Update to Apache Spark 3.1.3 or later
2022-03-26
CVE-2021-38296
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS-SP3
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
spark security update
2022-03-26
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1591