Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0274 Multiple vulnerabilities have been identified in Apache Impala 26 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Impala Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Existing Account Provide Misleading Information -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-11792 CVE-2018-11785 Member content until: Sunday, November 25 2018 OVERVIEW Multiple vulnerabilities have been identified in Apache Impala prior to version 3.0.1. [1] IMPACT Apache have provided the following details regarding the vulnerabilities: "CVE-2018-11785: - Missing authorization check in Apache Impala allows a Kerberos-authenticated but unauthorized user to inject random data into a running query, leading to wrong results for a query CVE-2018-11792 (IMPALA-7502): - ALTER TABLE/VIEW RENAME required ALTER on the old table. This may pose a potential security risk, such as having ALTER on a table and ALL on a particular database allows a user to move the table to a database with ALL, which will automatically grant that user with ALL privilege on that table due to the privilege inherited from the database " [1] MITIGATION Apache recommends upgrading to the latest version of Apache Impala to address these issues. [1] REFERENCES [1] Apache Mail Archives https://lists.apache.org/thread.html/cba8f18df15af862aa07c584d8dc85c44a199fb8f460edd498059247@%3Cdev.impala.apache.org%3E AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW9KGk2aOgq3Tt24GAQgEGRAAuMxatEyxUbIZtXyI0BYTZtfuKXT21tUy GviiqVYT52AB6Grzrkm6TGFVTAfwMmCbutwc36S36mR4ByY6ZAFmyzKu96v4lVr+ L5l2Ew9K+ybdYTVAxFWjeWk6OwcnyHS1bWxcV7NrsyNTLRQQGuLwr3m5olCX+6Gd j3QMWdYxzCHaid8T786UNvCpvYnqsn7wIgzLMIpgPiZ6NFdEVQKRB6wUhBhgJSn5 KJ7WFQispKmaG+BDRZEinQnAzD6P/gk/gsQLulZqUxGaQ+XCPuVcTNpJBp5ibyn1 A4ppNHROvaKJpAIqrjdMYMF1GoBN329RDwasRl9OXX/h0CDqEGirdu84auW8eVvU Mcjiwdbbxkk7jzlYNSlo9p8/D7sZfCcPD+YJohF+JW+Vs0a2EOoIIBi16ppyC8UI uLP9WeGwaGbZFxJDAkymtSwP31GIaCAbb1HQpNslr4IqxOYd8Qv8OC3JoNADxVsn FME9BoaZFGDcTuUABFfD5NO+Rl4cqQITUSRIthUvo3kYgH0KJEVIo9I4pcThgBTh r9GQmNXoVRde3acOlXNZR9yXyvosmJwCPT/Lam1Mi9QjEn4AcZMt3b8RoP49oNGc s4tPUSDCAOSd+dC20xYlR4fmUCTjnz2v9Q1nFw592Qhgp4PL55dMkBzRNS+1kRCQ m/+LxB86haw= =Wh3V -----END PGP SIGNATURE-----