CVE-2017-5640 Apache Impala (incubating) Information Disclosure

CVE-2017-5640 Apache Impala (incubating) Information Disclosure

Severity: High

Versions Affected:
Apache Impala (incubating) 2.7.0 to 2.8.0

It was noticed that a malicious process impersonating an Impala daemon
could cause Impala daemons to skip authentication checks when Kerberos
is enabled (but TLS is not). If the malicious server responds with
=E2=80=98COMPLETE=E2=80=99 before the SASL handshake has completed, the cli=
ent will
consider the handshake as completed even though no exchange of
credentials has happened.

Users of the affected versions should apply the following mitigation:
Upgrade to Apache Impala (incubating) 2.9.0

This issue was identified by the Cloudera Security team.