From 48e8c20c84586d2860e80e87191299f651ceaaa5 Mon Sep 17 00:00:00 2001
From: miqowhy <38476775+miqowhy@users.noreply.github.com>
Date: Tue, 24 Mar 2026 06:59:14 +0100
Subject: [PATCH 1/3] Document new security vulnerability in Apache Spark

Added details about CVE-2025-55039 vulnerability in Apache Spark, including severity, affected versions, descriptions, mitigations, and credit.
---
 security.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/security.md b/security.md
index 38ee3a6179..1160c2ff7c 100644
--- a/security.md
+++ b/security.md
@@ -58,6 +58,30 @@ This includes verifying the source, validating integrity, and applying appropria
 before loading or deploying a model.
 
 <h2>Known security issues</h2>
+<h3 id="CVE-2025-55039">CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks</h3>
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Versions prior to 3.4.4, 3.5.2 and 4.0.0
+
+Description:
+
+Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
+When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
+This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
+
+Mitigation:
+
+- Either configure `spark.network.crypto.cipher` to "AES/GCM/NoPadding" to enable authenticated encryption or enable SSL encryption by setting both `spark.ssl.enabled` and `spark.ssl.rpc.enabled` to "true", which provides stronger transport security.
+
+Credit:
+
+- Holden Karau
+
 
 <h3 id="CVE-2023-32007">CVE-2023-32007: Apache Spark shell command injection vulnerability via Spark UI</h3>
 

From e549f6291ff4323d02a5230346b874911fdb28ea Mon Sep 17 00:00:00 2001
From: miqowhy <38476775+miqowhy@users.noreply.github.com>
Date: Wed, 25 Mar 2026 06:21:03 +0100
Subject: [PATCH 2/3] Add new line as suggested by reviewer

---
 security.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security.md b/security.md
index 1160c2ff7c..3e55d9c8ba 100644
--- a/security.md
+++ b/security.md
@@ -58,6 +58,7 @@ This includes verifying the source, validating integrity, and applying appropria
 before loading or deploying a model.
 
 <h2>Known security issues</h2>
+
 <h3 id="CVE-2025-55039">CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks</h3>
 
 Severity: Moderate

From 3156117f9666a51d8c32c38da3f01a498bbc09f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20=C5=BBurek?= <miqowhy@gmail.com>
Date: Wed, 25 Mar 2026 06:55:33 +0100
Subject: [PATCH 3/3] Files modified after local build

---
 site/security.html | 30 ++++++++++++++++++++++++++++++
 site/sitemap.xml   |  4 ++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/site/security.html b/site/security.html
index 1166f04a63..043bdbfc22 100644
--- a/site/security.html
+++ b/site/security.html
@@ -205,6 +205,36 @@ <h3>Is loading a machine learning model secure? Who is responsible for model sec
 
 <h2>Known security issues</h2>
 
+<h3 id="CVE-2025-55039">CVE-2025-55039: Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks</h3>
+
+<p>Severity: Moderate</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<ul>
+  <li>Versions prior to 3.4.4, 3.5.2 and 4.0.0</li>
+</ul>
+
+<p>Description:</p>
+
+<p>Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
+When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
+This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.</p>
+
+<p>Mitigation:</p>
+
+<ul>
+  <li>Either configure <code class="language-plaintext highlighter-rouge">spark.network.crypto.cipher</code> to &#8220;AES/GCM/NoPadding&#8221; to enable authenticated encryption or enable SSL encryption by setting both <code class="language-plaintext highlighter-rouge">spark.ssl.enabled</code> and <code class="language-plaintext highlighter-rouge">spark.ssl.rpc.enabled</code> to &#8220;true&#8221;, which provides stronger transport security.</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+  <li>Holden Karau</li>
+</ul>
+
 <h3 id="CVE-2023-32007">CVE-2023-32007: Apache Spark shell command injection vulnerability via Spark UI</h3>
 
 <p>This CVE is only an update to <a href="#CVE-2022-33891">CVE-2022-33891</a> to clarify that version 3.1.3 is also
diff --git a/site/sitemap.xml b/site/sitemap.xml
index f70239e5c9..cdb7dc3ec5 100644
--- a/site/sitemap.xml
+++ b/site/sitemap.xml
@@ -1201,7 +1201,7 @@
   <changefreq>weekly</changefreq>
 </url>
 <url>
-  <loc>https://spark.apache.org/graphx/</loc>
+  <loc>https://spark.apache.org/sql/</loc>
   <changefreq>weekly</changefreq>
 </url>
 <url>
@@ -1209,7 +1209,7 @@
   <changefreq>weekly</changefreq>
 </url>
 <url>
-  <loc>https://spark.apache.org/sql/</loc>
+  <loc>https://spark.apache.org/graphx/</loc>
   <changefreq>weekly</changefreq>
 </url>
 <url>