CVE-2017-5640
moderate-risk
Published 2017-07-10
It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened.
Do I need to act?
~
1.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
Impala
Impala
Affected Vendors
References (4)
43
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
4/34 · Minimal
Exposure
7/34 · Low