IMPALA-5005 Don't Allow Server to Send SASL COMPLETE Message Out of Order

This section describes an Impala vulnerability.

Vulnerability A security vulnerability exists in Apache Impala products, including Impala 2.7.0, which is distributed and supported by MapR.
Details For Impala 2.7.0, the Kerberos SASL client-server message exchange negotiation is vulnerable to a privileged escalation attack as a result of the server’s out-of-order SASL COMPLETE message. The COMPLETE message typically ends a negotiation successfully. A successful negotiation allows the connection to take place.
Products Affected Impala 2.7.0, which is supported on MapR versions 5.2.1 and 5.2.2.
Impact An Impala SASL implementation vulnerability allows a privleged escalation attack in which a malicious server can force clients to bypass Kerberos authentication checks.
Severity High
Bug Tracking MapR bug 26889 (fixed in MEP 3.0.1) and IMPALA-5005.
Immediate Action Required Customers should download and use Impala 2.7.0 (2.7.0-mapr-1707) included in MEP 3.0.1 from
References For more information, see: