CVE-2017-9792

Name of the Vulnerable Software and Affected Versions Apache Impala (incubating) versions prior to 2.10.0

Description A malicious user with "ALTER" permissions on an Impala table can access any other Kudu table data by altering the table properties to make it "external" and then changing the underlying table mapping to point to other Kudu tables. This action bypasses the authorization requirement that creating a Kudu external table via Impala requires an "ALL" privilege at the server scope.

Recommendations For Apache Impala (incubating) versions prior to 2.10.0, update to version 2.10.0 or later to enforce the privilege requirement for "ALTER" commands that would make existing non-external Kudu tables external.