Hi Sean, I don't find it in 3.1.3 release notes https://spark.apache.org/releases/spark-release-3-1-3.html. Is it tracked somewhere?
On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen <sro...@apache.org> wrote: > Severity: moderate > > Description: > > Apache Spark supports end-to-end encryption of RPC connections via > "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 > and earlier, it uses a bespoke mutual authentication protocol that allows > for full encryption key recovery. After an initial interactive attack, this > would allow someone to decrypt plaintext traffic offline. Note that this > does not affect security mechanisms controlled by > "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", > "spark.ssl", "spark.ui.strictTransportSecurity". > > Mitigation: > > Update to Apache Spark 3.1.3 or later > > Credit: > > Steve Weis (Databricks) > > > --------------------------------------------------------------------- > To unsubscribe e-mail: dev-unsubscr...@spark.apache.org > >
