TSB 2017-224: Malicious server can cause Impala server to skip authentication checks

0 votes
asked Oct 22, 2017 in Hadoop by anonymous
SummaryA malicious server which impersonates an Impala service can cause a client to skip its authentication checks.

A malicious server which impersonates an Impala service (either Impala daemon, Catalog Server or Statestore) can cause a client (Impala daemon or Statestore) to skip its authentication checks when Kerberos is enabled. That malicious server may then intercept sensitive data intended for the Impala service.

This affects deployments that use Kerberos, but not TLS, for authentication between Impala daemons. Deployments that use TLS to secure communication between services are not affected by the same issue.

CVE: CVE-2017-5640
Date/time of detection: February 27, 2017
Detected by: Cloudera

Applies To
  • CDH 5.7 and lower
  • CDH 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4
  • CDH 5.9.0, 5.9.1
  • CDH 5.10.0
To obtain the fix please upgrade to one of the following releases:
  • CDH 5.8.5 or higher
  • CDH 5.9.2 or higher
  • CDH 5.10.1 or higher
  • CDH 5.11.0 or higher

As a work-around, enable TLS for connections between Impala services.

Please log in or register to answer this question.