CVE-2021-28131 in Impala
Summary
by MITRE • 07/22/2021
Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user's sessions with specially constructed requests. This means the attacker is able to execute statements for which they don't have the necessary privileges otherwise. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. Mitigation: If an Impala deployment uses Apache Sentry, Apache Ranger or audit logging, then users should upgrade to a version of Impala with the fix for IMPALA-10600. The Impala 4.0 release includes this fix. This hides session secrets from the logs to eliminate the risk of any attack using this mechanism. In lieu of an upgrade, restricting access to logs that expose secrets will reduce the risk of an attack. Restricting access to the Impala deployment to trusted users will also reduce the risk of an attack. Log redaction techniques can be used to redact secrets from the logs.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/27/2021
The vulnerability described in CVE-2021-28131 represents a critical session hijacking flaw within Apache Impala's authentication mechanism. This issue stems from the system's use of 16-byte secrets to verify session integrity and prevent unauthorized access to user sessions. The fundamental flaw occurs when these session secrets are inadvertently exposed in system logs, creating a vector for privilege escalation attacks. According to CWE-200, this constitutes an information exposure vulnerability where sensitive authentication data becomes accessible to unauthorized users. The security implications extend beyond simple session theft, as attackers can execute arbitrary SQL statements using another user's authenticated session, bypassing normal access controls that would otherwise prevent such actions.
The operational impact of this vulnerability becomes particularly severe in environments utilizing Apache Sentry or Apache Ranger authorization frameworks. These systems provide fine-grained access control and privilege management, making the potential for unauthorized privilege escalation especially dangerous. When an authenticated attacker gains access to session secrets through log inspection, they can impersonate legitimate users and perform operations that exceed their own privileges. This creates a significant risk for organizations that rely on these authorization systems for data protection and access control enforcement. The attack requires an authenticated user account and substantial technical expertise, but once achieved, it can lead to unauthorized data access, modification, or deletion operations. The attack vector aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through session hijacking.
The vulnerability's exposure through logging mechanisms creates additional audit trail complications that extend beyond the immediate security breach. Organizations with audit logging enabled face the risk of incorrect audit logging, where actions performed by attackers appear to originate from legitimate users. This undermines the integrity of security monitoring systems and makes it difficult to accurately track and investigate security incidents. The logging exposure represents a classic case of insufficient input validation and output sanitization, as highlighted by CWE-20 and CWE-117, where system-generated content containing sensitive information is not properly filtered or redacted before being written to log files. The attack requires attackers to possess sufficient privileges to access Impala logs, but once achieved, it can be executed with relatively simple crafted requests that exploit the exposed session identifiers.
Mitigation strategies for this vulnerability focus on both immediate remediation and long-term architectural improvements. The primary solution involves upgrading to Impala version 4.0 or later, which includes the fix for IMPALA-10600 that prevents session secrets from appearing in logs. This approach directly addresses the root cause by implementing proper information hiding mechanisms as recommended by CWE-546. Organizations without immediate upgrade capabilities should implement access restrictions to log files containing session secrets, effectively reducing the attack surface through access control measures aligned with CWE-284. Network-level access controls and trusted user restrictions provide additional layers of defense, while log redaction techniques can serve as interim solutions to mask sensitive information from appearing in system logs. These approaches collectively address the information exposure problem through multiple defensive mechanisms that align with the principle of least privilege and defense in depth strategies recommended by security frameworks including NIST SP 800-53 and ISO 27001.