48 matches found
Design/Logic Flaw
It was noticed that a malicious process impersonating an Impala daemon in Apache Impala incubating 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled but TLS is not. If the malicious server responds with 'COMPLETE' before the SASL handshake has...
Design/Logic Flaw
During a routine security analysis, it was found that one of the ports in Apache Impala incubating 2.7.0 to 2.8.0 sent data in plaintext even when the cluster was configured to use TLS. The port in question was used by the StatestoreSubscriber class which did not use the appropriate secure Thrift...
CVE-2017-5640
It was noticed that a malicious process impersonating an Impala daemon in Apache Impala incubating 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled but TLS is not. If the malicious server responds with 'COMPLETE' before the SASL handshake has...
CVE-2017-5652
During a routine security analysis, it was found that one of the ports in Apache Impala incubating 2.7.0 to 2.8.0 sent data in plaintext even when the cluster was configured to use TLS. The port in question was used by the StatestoreSubscriber class which did not use the appropriate secure Thrift...
CVE-2017-5652
During a routine security analysis, it was found that one of the ports in Apache Impala incubating 2.7.0 to 2.8.0 sent data in plaintext even when the cluster was configured to use TLS. The port in question was used by the StatestoreSubscriber class which did not use the appropriate secure Thrift...
CVE-2017-5640
It was noticed that a malicious process impersonating an Impala daemon in Apache Impala incubating 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled but TLS is not. If the malicious server responds with 'COMPLETE' before the SASL handshake has...
CVE-2017-5652
The CVE-2017-5652 entry concerns Apache Impala (incubating) versions 2.7.0–2.8.0 where one port used by the StatestoreSubscriber did not employ the secure Thrift transport when TLS was enabled. This allowed an attacker with network access to eavesdrop on plaintext data traversing that port, const...
CVE-2017-5640
CVE-2017-5640 affects Apache Impala (incubating) versions 2.7.0–2.8.0. A malicious process impersonating an Impala daemon can cause the server to skip authentication checks when Kerberos is enabled but TLS is not, by replying with COMPLETE before the SASL handshake finishes, making the client tre...