VYPR
Critical severity9.8NVD Advisory· Published Jul 10, 2017· Updated Jun 17, 2026

CVE-2017-5640

CVE-2017-5640

Description

It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened.

Affected products

4
  • Apache/Impala3 versions
    cpe:2.3:a:apache:impala:2.7.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:apache:impala:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:impala:2.8.0:*:*:*:*:*:*:*
    • (no CPE)range: 2.7.0 to 2.8.0
  • Apache Software Foundation/Apache Impalav5
    Range: 2.7.0 to 2.8.0 incubating

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.