Information Disclosure in Apache Impala by Apache
CVE-2017-5652

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Impala
Vendor: CVE Published:; 10 July 2017

Summary

In Apache Impala versions 2.7.0 to 2.8.0, a vulnerability was identified where data transmitted over a specific port was sent in plaintext, despite the cluster being configured for TLS. This issue arose due to the StatestoreSubscriber class not implementing secure Thrift transport when TLS was enabled, allowing attackers with network access to intercept and read sensitive data being transmitted.

Affected Version(s)

Apache Impala 2.7.0 to 2.8.0 incubating

References

https://lists.apache.org/thread.html/5bab4424f23aebefc810...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/archive/1/540831/100/0/threaded

mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 10, 2017
Vulnerability Reserved
Jan 29, 2017