{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"spark security update", "category":"general", "title":"Synopsis" }, { "text":"An update for spark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.", "category":"general", "title":"Summary" }, { "text":"Apache Spark achieves high performance for both batch and streaming data, using a state-of-the-art DAG scheduler, a query optimizer, and a physical execution engine.\n\nSecurity Fix(es):\n\nApache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later(CVE-2021-38296)", "category":"general", "title":"Description" }, { "text":"An update for spark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"spark", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2022-1591", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1591" }, { "summary":"CVE-2021-38296", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2021-38296&packageName=spark" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38296" }, { "summary":"openEuler-SA-2022-1591 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2022/csaf-openeuler-sa-2022-1591.json" } ], "title":"An update for spark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3", "tracking":{ "initial_release_date":"2022-03-26T09:38:40+08:00", "revision_history":[ { "date":"2022-03-26T09:38:40+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:38:40+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:38:40+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:38:40+08:00", "id":"openEuler-SA-2022-1591", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"openEuler-20.03-LTS-SP2", "name":"openEuler-20.03-LTS-SP2" }, "name":"openEuler-20.03-LTS-SP2", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"openEuler-20.03-LTS-SP3", "name":"openEuler-20.03-LTS-SP3" }, "name":"openEuler-20.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"spark-3.2.0-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"spark-3.2.0-1.oe1.aarch64.rpm" }, "name":"spark-3.2.0-1.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"spark-3.2.0-1.oe1.aarch64.rpm(20.03-LTS-SP2)", "name":"spark-3.2.0-1.oe1.aarch64.rpm" }, "name":"spark-3.2.0-1.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"spark-3.2.0-1.oe1.aarch64.rpm(20.03-LTS-SP3)", "name":"spark-3.2.0-1.oe1.aarch64.rpm" }, "name":"spark-3.2.0-1.oe1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"spark-3.2.0-1.oe1.src.rpm(20.03-LTS-SP1)", "name":"spark-3.2.0-1.oe1.src.rpm" }, "name":"spark-3.2.0-1.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"spark-3.2.0-1.oe1.src.rpm(20.03-LTS-SP2)", "name":"spark-3.2.0-1.oe1.src.rpm" }, "name":"spark-3.2.0-1.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"spark-3.2.0-1.oe1.src.rpm(20.03-LTS-SP3)", "name":"spark-3.2.0-1.oe1.src.rpm" }, "name":"spark-3.2.0-1.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"spark-3.2.0-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"spark-3.2.0-1.oe1.x86_64.rpm" }, "name":"spark-3.2.0-1.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"spark-3.2.0-1.oe1.x86_64.rpm(20.03-LTS-SP2)", "name":"spark-3.2.0-1.oe1.x86_64.rpm" }, "name":"spark-3.2.0-1.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"spark-3.2.0-1.oe1.x86_64.rpm(20.03-LTS-SP3)", "name":"spark-3.2.0-1.oe1.x86_64.rpm" }, "name":"spark-3.2.0-1.oe1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"spark-3.2.0-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.aarch64", "name":"spark-3.2.0-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"spark-3.2.0-1.oe1.aarch64.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.aarch64", "name":"spark-3.2.0-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"spark-3.2.0-1.oe1.aarch64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.aarch64", "name":"spark-3.2.0-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"spark-3.2.0-1.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.src", "name":"spark-3.2.0-1.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"spark-3.2.0-1.oe1.src.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.src", "name":"spark-3.2.0-1.oe1.src as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"spark-3.2.0-1.oe1.src.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.src", "name":"spark-3.2.0-1.oe1.src as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"spark-3.2.0-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.x86_64", "name":"spark-3.2.0-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"spark-3.2.0-1.oe1.x86_64.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.x86_64", "name":"spark-3.2.0-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"spark-3.2.0-1.oe1.x86_64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.x86_64", "name":"spark-3.2.0-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-38296", "notes":[ { "text":"Apache Spark supports end-to-end encryption of RPC connections via spark.authenticate and spark.network.crypto.enabled . In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by spark.authenticate.enableSaslEncryption , spark.io.encryption.enabled , spark.ssl , spark.ui.strictTransportSecurity . Update to Apache Spark 3.1.3 or later", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.x86_64", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.x86_64", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.x86_64" ], "details":"spark security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1591" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.src", "openEuler-20.03-LTS-SP1:spark-3.2.0-1.oe1.x86_64", "openEuler-20.03-LTS-SP2:spark-3.2.0-1.oe1.x86_64", "openEuler-20.03-LTS-SP3:spark-3.2.0-1.oe1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-38296" } ] }