CVE-2025-55039
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | spark | to 3.4.4 (exc) |
| apache | spark | From 3.5.0 (inc) to 3.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0. When network encryption is enabled (spark.network.crypto.enabled=true) but the encryption cipher is not explicitly set, Spark defaults to using AES in CTR mode without authentication. This means encrypted RPC traffic between nodes can be modified by a man-in-the-middle attacker without detection, potentially compromising the integrity of heartbeat messages or application data.
How can this vulnerability impact me? :
An attacker performing a man-in-the-middle attack can undetectably alter encrypted RPC traffic between Spark nodes. This can compromise the integrity of critical communications such as heartbeat messages or application data, potentially disrupting Spark workflows and causing incorrect or unreliable processing results.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.