Critical severity9.8NVD Advisory· Published Jul 10, 2017· Updated Jun 17, 2026
CVE-2017-5640
CVE-2017-5640
Description
It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened.
Affected products
4- Apache Software Foundation/Apache Impalav5Range: 2.7.0 to 2.8.0 incubating
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.