CVE-2017-5640 Apache Impala (incubating) Information Disclosure

CVE-2017-5640 Apache Impala (incubating) Information Disclosure

Severity: High

Versions Affected:
Apache Impala (incubating) 2.7.0 to 2.8.0

Description:
It was noticed that a malicious process impersonating an Impala daemon
could cause Impala daemons to skip authentication checks when Kerberos
is enabled (but TLS is not). If the malicious server responds with
=E2=80=98COMPLETE=E2=80=99 before the SASL handshake has completed, the cli=
ent will
consider the handshake as completed even though no exchange of
credentials has happened.

Mitigation:
Users of the affected versions should apply the following mitigation:
Upgrade to Apache Impala (incubating) 2.9.0

Credit:
This issue was identified by the Cloudera Security team.

References:
https://issues.apache.org/jira/browse/IMPALA-5005