CVE-2025-55039
📋 TL;DR
Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0 use an insecure default cipher (AES/CTR/NoPadding) for RPC encryption when spark.network.crypto.enabled is true, allowing man-in-the-middle attackers to modify encrypted traffic undetected. This affects Spark clusters where network encryption is enabled but the cipher isn't explicitly configured. Attackers could tamper with heartbeat messages or application data, compromising workflow integrity.
💻 Affected Systems
- Apache Spark
📦 What is this software?
Spark by Apache
Spark by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attacker modifies critical RPC communications to disrupt cluster operations, inject malicious commands, or corrupt data processing workflows, leading to data integrity breaches or denial of service.
Likely Case
Attacker intercepts and alters non-critical RPC traffic to cause intermittent cluster instability, data corruption in specific jobs, or performance degradation.
If Mitigated
With proper cipher configuration or SSL enabled, RPC communications are authenticated and encrypted, preventing undetected modification even if intercepted.
🎯 Exploit Status
Exploitation requires man-in-the-middle position on network, ability to intercept RPC traffic, and knowledge of Spark cluster configuration. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Upgrade to Apache Spark 3.4.4, 3.5.2, or 4.0.0
Vendor Advisory: https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq
Restart Required: Yes
Instructions:
1. Download patched version from Apache Spark website. 2. Stop all Spark services. 3. Replace Spark installation with patched version. 4. Restart Spark services. 5. Verify configuration changes if needed.
🔧 Temporary Workarounds
Configure secure cipher
allSet spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption
spark-submit --conf spark.network.crypto.cipher=AES/GCM/NoPadding ...
Add to spark-defaults.conf: spark.network.crypto.cipher AES/GCM/NoPadding
Enable SSL encryption
allUse SSL instead of network crypto for stronger transport security
spark-submit --conf spark.ssl.enabled=true ...
Add to spark-defaults.conf: spark.ssl.enabled true
🧯 If You Can't Patch
- Ensure spark.network.crypto.enabled=false (default) if not using network encryption
- Implement network segmentation to restrict access to Spark cluster nodes and prevent MITM attacks
🔍 How to Verify
Check if Vulnerable:
Check Spark configuration: if spark.network.crypto.enabled=true and spark.network.crypto.cipher is not set to AES/GCM/NoPadding, and version is before 3.4.4/3.5.2/4.0.0Check Version:
spark-submit --version 2>&1 | grep versionVerify Fix Applied:
Verify spark.network.crypto.cipher=AES/GCM/NoPadding is set in configuration, or spark.ssl.enabled=true, or version is 3.4.4/3.5.2/4.0.0+📡 Detection & Monitoring
Log Indicators:
- Unexpected RPC communication failures
- Heartbeat timeouts or irregularities
- Spark driver/executor disconnections
Network Indicators:
- Unusual network traffic patterns between Spark nodes
- RPC packet manipulation attempts
SIEM Query:
source="spark*" AND ("RPC error" OR "heartbeat failure" OR "crypto error")