CVE-2025-55039 (GCVE-0-2025-55039)
Vulnerability from cvelistv5
Published
2025-10-15 07:19
Modified
2025-10-15 19:33
Severity ?
CWE
  • CWE-347 - Improper Verification of Cryptographic Signature
  • CWE-326 - Inadequate Encryption Strength
Summary
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache Spark Version: 3.5.0   
Version: 0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-55039",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T19:33:07.860034Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-15T19:33:31.064Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.spark:spark-network-common_2.13",
          "product": "Apache Spark",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.2",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.spark:spark-network-common_2.12",
          "product": "Apache Spark",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.2",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThis issue affects Apache Spark versions before  3.4.4,\u0026nbsp;3.5.2 and 4.0.0.\u003c/p\u003e\u003cp\u003e\u003c/p\u003eApache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.\u003cp\u003e\u003c/p\u003e\u003cp\u003eWhen \u003ccode\u003espark.network.crypto.enabled\u003c/code\u003e is set to true (it is set to false by default), but \u003ccode\u003espark.network.crypto.cipher\u003c/code\u003e is not explicitly configured, Spark defaults to AES in CTR mode (\u003ccode\u003eAES/CTR/NoPadding\u003c/code\u003e), which provides encryption without authentication.\u003c/p\u003e\u003cp\u003eThis vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should either configure \u003ccode\u003espark.network.crypto.cipher\u003c/code\u003e to \u003ccode\u003eAES/GCM/NoPadding\u003c/code\u003e to enable authenticated encryption or\u003c/p\u003e\u003cp\u003eenable SSL encryption by setting \u003ccode\u003espark.ssl.enabled\u003c/code\u003e to true, which provides stronger transport security.\u003c/p\u003e"
            }
          ],
          "value": "This issue affects Apache Spark versions before  3.4.4,\u00a03.5.2 and 4.0.0.\n\n\n\nApache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.\n\nWhen spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.\n\nThis vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.\n\n\nTo mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or\n\nenable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347 Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T07:19:25.493Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-55039",
    "datePublished": "2025-10-15T07:19:25.493Z",
    "dateReserved": "2025-08-06T00:27:38.654Z",
    "dateUpdated": "2025-10-15T19:33:31.064Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55039\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-10-15T08:15:38.460\",\"lastModified\":\"2025-10-16T15:28:59.610\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This issue affects Apache Spark versions before  3.4.4,\u00a03.5.2 and 4.0.0.\\n\\n\\n\\nApache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.\\n\\nWhen spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.\\n\\nThis vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.\\n\\n\\nTo mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or\\n\\nenable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-326\"},{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq\",\"source\":\"security@apache.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\", \"packageName\": \"org.apache.spark:spark-network-common_2.13\", \"product\": \"Apache Spark\", \"vendor\": \"Apache Software Foundation\", \"versions\": [{\"lessThan\": \"3.5.2\", \"status\": \"affected\", \"version\": \"3.5.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"3.4.4\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\"}]}, {\"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\", \"packageName\": \"org.apache.spark:spark-network-common_2.12\", \"product\": \"Apache Spark\", \"vendor\": \"Apache Software Foundation\", \"versions\": [{\"lessThan\": \"3.5.2\", \"status\": \"affected\", \"version\": \"3.5.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"3.4.4\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\u003cp\u003eThis issue affects Apache Spark versions before  3.4.4,\u0026nbsp;3.5.2 and 4.0.0.\u003c/p\u003e\u003cp\u003e\u003c/p\u003eApache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.\u003cp\u003e\u003c/p\u003e\u003cp\u003eWhen \u003ccode\u003espark.network.crypto.enabled\u003c/code\u003e is set to true (it is set to false by default), but \u003ccode\u003espark.network.crypto.cipher\u003c/code\u003e is not explicitly configured, Spark defaults to AES in CTR mode (\u003ccode\u003eAES/CTR/NoPadding\u003c/code\u003e), which provides encryption without authentication.\u003c/p\u003e\u003cp\u003eThis vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should either configure \u003ccode\u003espark.network.crypto.cipher\u003c/code\u003e to \u003ccode\u003eAES/GCM/NoPadding\u003c/code\u003e to enable authenticated encryption or\u003c/p\u003e\u003cp\u003eenable SSL encryption by setting \u003ccode\u003espark.ssl.enabled\u003c/code\u003e to true, which provides stronger transport security.\u003c/p\u003e\"}], \"value\": \"This issue affects Apache Spark versions before  3.4.4,\\u00a03.5.2 and 4.0.0.\\n\\n\\n\\nApache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.\\n\\nWhen spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.\\n\\nThis vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.\\n\\n\\nTo mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or\\n\\nenable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.\"}], \"metrics\": [{\"other\": {\"content\": {\"text\": \"moderate\"}, \"type\": \"Textual description of severity\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-347\", \"description\": \"CWE-347 Improper Verification of Cryptographic Signature\", \"lang\": \"en\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-326\", \"description\": \"CWE-326 Inadequate Encryption Strength\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-10-15T07:19:25.493Z\"}, \"references\": [{\"tags\": [\"vendor-advisory\"], \"url\": \"https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks\", \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55039\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-15T19:33:07.860034Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-15T19:33:25.808Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55039\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"apache\", \"dateReserved\": \"2025-08-06T00:27:38.654Z\", \"datePublished\": \"2025-10-15T07:19:25.493Z\", \"dateUpdated\": \"2025-10-15T19:33:31.064Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.