Hi team, Thank you for the announcement.
> To mitigate this issue, users should either configure > spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated > encryption or enable SSL encryption by setting spark.ssl.enabled to true, > which provides stronger transport security. We enabled spark.network.crypto.cipher to AES/GCM/NoPadding on the Spark on YARN cluster, and we faced job failures (https://issues.apache.org/jira/browse/SPARK-56227). I created a patch to fix these failures, and the PRs are ready: - https://github.com/apache/spark/pull/55028 (for master) - https://github.com/apache/spark/pull/55621 (for branch-3.5) Since we are running Spark 3.x and SSL encryption is not available, we would like to use AES/GCM/NoPadding. How can I proceed to merge this fix into master and branch-3.5? Best regards, Akira Ajisaka On Wed, Oct 15, 2025 at 4:48 AM Holden Karau <[email protected]> wrote: > > Severity: moderate > > Affected versions: > > - Apache Spark (org.apache.spark:spark-network-common_2.13) 3.5.0 before 3.5.2 > - Apache Spark (org.apache.spark:spark-network-common_2.13) before 3.4.4 > - Apache Spark (org.apache.spark:spark-network-common_2.12) 3.5.0 before 3.5.2 > - Apache Spark (org.apache.spark:spark-network-common_2.12) before 3.4.4 > > Description: > > This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. > > > > Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default > network encryption cipher for RPC communication between nodes. > > When spark.network.crypto.enabled is set to true (it is set to false by > default), but spark.network.crypto.cipher is not explicitly configured, Spark > defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption > without authentication. > > This vulnerability allows a man-in-the-middle attacker to modify encrypted > RPC traffic undetected by flipping bits in ciphertext, potentially > compromising heartbeat messages or application data and affecting the > integrity of Spark workflows. > > > To mitigate this issue, users should either configure > spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated > encryption or > > enable SSL encryption by setting spark.ssl.enabled to true, which provides > stronger transport security. > > References: > > https://spark.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2025-55039 > > > --------------------------------------------------------------------- > To unsubscribe e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe e-mail: [email protected]
