Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN698
_____________________________________________________________________

DATE                : 15/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Spark versions prior to
                              3.4.4, 3.5.2, 4.0.0.

=====================================================================
https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq
_____________________________________________________________________

CVE-2025-55039: Apache Spark, Apache Spark: RPC encryption defaults
to unauthenticated AES-CTR mode, enabling man-in-the-middle
ciphertext modification attacks

Severity: moderate 

Affected versions:

- Apache Spark (org.apache.spark:spark-network-common_2.13) 3.5.0 before 3.5.2
- Apache Spark (org.apache.spark:spark-network-common_2.13) before 3.4.4
- Apache Spark (org.apache.spark:spark-network-common_2.12) 3.5.0 before 3.5.2
- Apache Spark (org.apache.spark:spark-network-common_2.12) before 3.4.4


Description:

This issue affects Apache Spark versions before  3.4.4, 3.5.2 and
4.0.0.


Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure
default network encryption cipher for RPC communication between
nodes.

When spark.network.crypto.enabled is set to true (it is set to false
by default), but spark.network.crypto.cipher is not explicitly
configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding),
which provides encryption without authentication.

This vulnerability allows a man-in-the-middle attacker to modify
encrypted RPC traffic undetected by flipping bits in ciphertext,
potentially compromising heartbeat messages or application data
and affecting the integrity of Spark workflows.


To mitigate this issue, users should either configure
spark.network.crypto.cipher to AES/GCM/NoPadding to enable
authenticated encryption or

enable SSL encryption by setting spark.ssl.enabled to true,
which provides stronger transport security.


References:

https://spark.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-55039


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================