PT-2017-16646 · Apache · Apache Impala
Published
2017-07-10
·
Updated
2019-10-03
·
CVE-2017-5652
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Impala (incubating) versions 2.7.0 through 2.8.0
Description
A security issue was discovered in Apache Impala where data was sent in plaintext over a specific port, even when the cluster was configured to use TLS. This occurred because the StatestoreSubscriber class did not utilize the appropriate secure Thrift transport when TLS was enabled. As a result, an adversary with network access could intercept and view the data in plaintext.
Recommendations
For Apache Impala (incubating) versions 2.7.0 through 2.8.0, consider disabling the use of the affected port or restricting access to it until a secure fix is implemented to ensure TLS encryption is properly used.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Impala