Return-Path: <announce-return-4119-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 3C298200D1D
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sat, 30 Sep 2017 00:32:16 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 3A9B51609ED; Fri, 29 Sep 2017 22:32:16 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 7F6261609D1
	for <archive-asf-public@cust-asf.ponee.io>; Sat, 30 Sep 2017 00:32:15 +0200 (CEST)
Received: (qmail 8821 invoked by uid 500); 29 Sep 2017 22:32:10 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 2260 invoked by uid 99); 29 Sep 2017 22:28:22 -0000
X-Gm-Message-State: AMCzsaXZtmsa1KzGgpxRQ48ZICEogb78+P9HT9DDih05XsMarADQdYfm
	hDUnqq+zJbFFnPHhn8MGLUzPHSG1tzFyRPvUh9UqhQ==
X-Google-Smtp-Source: AOwi7QALQEXNTZsNi3kfWxom5BCqGP4BQYWF6JO/K3cU97hHgbRR7zatr32PEUr1t601PHSRbT71nqpTIXHE6YIarbs=
X-Received: by 10.36.54.74 with SMTP id l71mr8195987itl.37.1506724100469; Fri,
 29 Sep 2017 15:28:20 -0700 (PDT)
MIME-Version: 1.0
From: Bharath Vissapragada <bharathv@apache.org>
Date: Fri, 29 Sep 2017 15:27:59 -0700
X-Gmail-Original-Message-ID: <CAFWiQHYvHUG42bC0EVkxciyR_-uswTW2UZCFQ6o0Q2+PGWSi6Q@mail.gmail.com>
Message-ID: <CAFWiQHYvHUG42bC0EVkxciyR_-uswTW2UZCFQ6o0Q2+PGWSi6Q@mail.gmail.com>
Subject: CVE-2017-9792 Apache Impala (incubating) Information Disclosure
To: announce@apache.org
Content-Type: multipart/alternative; boundary="001a1144d1b8c898ed055a5b8a7e"
archived-at: Fri, 29 Sep 2017 22:32:16 -0000

--001a1144d1b8c898ed055a5b8a7e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2017-9792 Apache Impala (incubating) Information Disclosure

Severity: High

Versions Affected: 2.8.0, 2.9.0

Description:
A malicious user with =E2=80=9CALTER=E2=80=9D permissions on an Impala tabl=
e can access any
other Kudu table data by altering the table properties to make it
=E2=80=9Cexternal=E2=80=9D and then changing the underlying table mapping t=
o point to other
Kudu tables. This violates and works around the authorization requirement
that creating a Kudu external table via Impala requires an =E2=80=9CALL=E2=
=80=9D privilege
at the server scope. This privilege requirement for =E2=80=9CCREATE=E2=80=
=9D commands is
enforced to precisely avoid this scenario where a malicious user can change
the underlying Kudu table mapping. The fix is to enforce the same privilege
requirement for =E2=80=9CALTER=E2=80=9D commands that would make existing n=
on-external Kudu
tables external.

Mitigation:
A temporary workaround is to revoke "ALTER" permissions on Impala tables. A
permanent fix is included in Apache Impala (incubating) 2.10.0 release and
the affected users should upgrade to that version.

Credit: This issue was identified and fixed by Matthew Jacobs.

References: https://issues.apache.org/jira/browse/IMPALA-5638

--001a1144d1b8c898ed055a5b8a7e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span style=3D"font-size:12.8px">CVE-2017-9792 Apache Impa=
la (incubating) Information Disclosure</span><br style=3D"font-size:12.8px"=
><br style=3D"font-size:12.8px"><span style=3D"font-size:12.8px">Severity: =
High</span><br style=3D"font-size:12.8px"><br style=3D"font-size:12.8px"><d=
iv style=3D"font-size:12.8px">Versions Affected: 2.8.0, 2.9.0<br><br>Descri=
ption:<br>A malicious user with =E2=80=9CALTER=E2=80=9D permissions on an I=
mpala table can access any other Kudu table data by altering the table prop=
erties to make it =E2=80=9Cexternal=E2=80=9D and then changing the underlyi=
ng table mapping to point to other Kudu tables. This violates and works aro=
und the authorization requirement that creating a Kudu external table via I=
mpala requires an =E2=80=9CALL=E2=80=9D privilege at the server scope. This=
 privilege requirement for =E2=80=9CCREATE=E2=80=9D commands is enforced to=
 precisely avoid this scenario where a malicious user can change the underl=
ying Kudu table mapping. The fix is to enforce the same privilege requireme=
nt for =E2=80=9CALTER=E2=80=9D commands that would make existing non-extern=
al Kudu tables external.<br><br>Mitigation:=C2=A0</div><div style=3D"font-s=
ize:12.8px">A temporary workaround is to revoke &quot;ALTER&quot; permissio=
ns on Impala tables. A permanent fix is included in Apache Impala (incubati=
ng) 2.10.0 release and the affected users should upgrade to that version.<b=
r><br>Credit: This issue was identified and fixed by Matthew Jacobs.<br><br=
>References:=C2=A0<a href=3D"https://issues.apache.org/jira/browse/IMPALA-5=
638" target=3D"_blank">https://issues.<wbr>apache.org/jira/browse/IMPALA-<w=
br>5638</a></div></div>

--001a1144d1b8c898ed055a5b8a7e--