CVE-2021-28131 – CVE-2021-28131 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-28131?

CVE-2021-28131 has a CVSS score of 7.5 (HIGH). CVE-2021-28131 is an authentication bypass vulnerability in Apache Impala where session secrets are exposed in logs, allowing authenticated users to hijack other users' sessions. This enables privilege escalation in deployments using Apache Sentry or Ranger authorization, and can cause incorrect audit logging. The vulnerability affects Impala deployments with logging enabled where users have access to log files.

📋 TL;DR

CVE-2021-28131 is an authentication bypass vulnerability in Apache Impala where session secrets are exposed in logs, allowing authenticated users to hijack other users' sessions. This enables privilege escalation in deployments using Apache Sentry or Ranger authorization, and can cause incorrect audit logging. The vulnerability affects Impala deployments with logging enabled where users have access to log files.

💻 Affected Systems

Products:

Apache Impala

Versions: All versions before Impala 4.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using Apache Sentry, Apache Ranger authorization, or audit logging. Basic Impala deployments without these features are not affected.

📦 What is this software?

Impala by Apache

View all CVEs affecting Impala →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker gains administrative privileges, executes arbitrary SQL commands, accesses sensitive data, and manipulates audit logs to hide malicious activity.

🟠

Likely Case

Authenticated user with log access escalates privileges to access data or perform actions beyond their normal permissions, potentially leading to data exfiltration or unauthorized modifications.

🟢

If Mitigated

With proper access controls and log restrictions, risk is limited to authorized users who already have significant system access.

🌐 Internet-Facing: MEDIUM - While exploitation requires authenticated access, internet-facing Impala instances could be targeted by attackers who obtain valid credentials.

🏢 Internal Only: HIGH - Internal users with log access can exploit this for privilege escalation, especially in multi-user environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access to Impala, access to logs containing session secrets, and ability to construct specialized requests. Attack sophistication is moderate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Impala 4.0 and later

Vendor Advisory: https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cannounce.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Impala 4.0 or later from Apache Impala releases. 2. Stop Impala services. 3. Backup configuration and data. 4. Install new version. 5. Update configuration if needed. 6. Restart Impala services. 7. Verify functionality.

🔧 Temporary Workarounds

Restrict log file access

linux

Limit access to Impala log files to prevent users from reading session secrets

chmod 640 /var/log/impala/*.log
chown root:impala /var/log/impala/*.log

Implement log redaction

all

Configure log processing to redact or mask session secrets before storage

# Configure log4j properties to filter session secrets
# Use sed or log processors to remove secrets: sed -i 's/secret=[a-f0-9]\{32\}/secret=REDACTED/g' impala.log

🧯 If You Can't Patch

Restrict Impala access to trusted users only and implement strict access controls
Disable or limit audit logging and authorization features if not essential

🔍 How to Verify

Check if Vulnerable:

Check Impala version: impala-shell --version. If version is below 4.0 and using Sentry/Ranger/audit logging, system is vulnerable.

Check Version:

impala-shell --version | grep 'Impala Shell'

Verify Fix Applied:

After upgrade to Impala 4.0+, verify session secrets are not visible in logs by searching for 16-byte hex strings in log files.

📡 Detection & Monitoring

Log Indicators:

Multiple session IDs from same IP with different user contexts
Unexpected privilege escalation in audit logs
Log entries containing 16-byte hexadecimal session secrets

Network Indicators:

Unusual SQL query patterns from authenticated sessions
Session reuse from different user agents or IPs

SIEM Query:

source="impala.log" AND "secret=" AND ("SELECT" OR "INSERT" OR "UPDATE" OR "DELETE") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2021-28131

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-288

Published: July 22, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/07/22/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cuser.impala.apache.org%3E Mailing List,Vendor Advisory
https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cuser.impala.apache.org%3E Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/07/22/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cuser.impala.apache.org%3E Mailing List,Vendor Advisory
https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cuser.impala.apache.org%3E Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28131, you might also want to check these: