PT-2017-16646 · Apache · Apache Impala

Publicado

2017-07-10

Atualizado

2019-10-03

CVE-2017-5652

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Impala (incubating) versions 2.7.0 through 2.8.0

Description A security issue was discovered in Apache Impala where data was sent in plaintext over a specific port, even when the cluster was configured to use TLS. This occurred because the StatestoreSubscriber class did not utilize the appropriate secure Thrift transport when TLS was enabled. As a result, an adversary with network access could intercept and view the data in plaintext.

Recommendations For Apache Impala (incubating) versions 2.7.0 through 2.8.0, consider disabling the use of the affected port or restricting access to it until a secure fix is implemented to ensure TLS encryption is properly used.

Correção

Cleartext Transmission of Sensitive Information

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-319

Identificadores relacionados

CVE-2017-5652

Produtos afetados

Apache Impala

PT-2017-16646 · Apache · Apache Impala

CVE-2017-5652

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4