SB2025112447 - Inadequate encryption strength in Apache Spark

Description

This security bulletin contains information about 1 security vulnerability.

1) Inadequate Encryption Strength (CVE-ID: CVE-2025-55039)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the use of an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. A remote man-in-the-middle attacker can modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq
• http://www.openwall.com/lists/oss-security/2025/10/14/11
• https://lists.apache.org/thread/x4mk9933yyxfl0cpzg85jvzt788640v7