[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-28131: Apache Impala: Impala logs contain secrets
From:       Zoltán_Borók-Nagy <boroknagyz () apache ! org>
Date:       2021-07-22 9:41:43
Message-ID: 76117b25-4176-1f57-5800-ba1e7dc04f5a () apache ! org
[Download RAW message or body]

Severity: high

Description:

Impala sessions use a 16 byte secret to verify that the session is not =
being hijacked by another user. However, these secrets appear in the Impala=
 logs, therefore Impala users with access to the logs can use another =
authenticated user's sessions with specially constructed requests. This =
means the attacker is able to execute statements for which they don't have =
the necessary privileges otherwise.

Impala deployments with Apache Sentry or Apache Ranger authorization =
enabled may be vulnerable to privilege escalation if an authenticated =
attacker is able to hijack a session or query from another authenticated =
user with privileges not assigned to the attacker.

Impala deployments with audit logging enabled may be vulnerable to =
incorrect audit logging as a user could undertake actions that were logged =
under the name of a different authenticated user.

Constructing an attack requires a high degree of technical sophistication =
and access to the Impala system as an authenticated user.

Mitigation: If an Impala deployment uses Apache Sentry, Apache Ranger or =
audit logging, then users should upgrade to a version of Impala with the =
fix for IMPALA-10600. The Impala 4.0 release includes this fix. This hides =
session secrets from the logs to eliminate the risk of any attack using =
this mechanism.

In lieu of an upgrade, restricting access to logs that expose secrets will =
reduce the risk of an attack. Restricting access to the Impala deployment =
to trusted users will also reduce the risk of an attack. Log redaction =
techniques can be used to redact secrets from the logs.

[prev in list] [next in list] [prev in thread] [next in thread]