Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.12.0
-
None
Description
For PLAIN mechanism we will weaken the strong check introduced with DRILL-5582 to keep the forward compatibility between Drill 1.12 client and Drill 1.9 server. This is fine since with and without this strong check PLAIN mechanism is still vulnerable to MITM during handshake itself unlike mutual authentication protocols like Kerberos.
Also for keeping forward compatibility with respect to SASL we will treat UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a client which is running on later version (let say 1.13) then Drillbit (1.12) and having a new value for SaslSupport field which is unknown to server, this field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will be treated as one aware about SASL protocol but server doesn't know exact capabilities of client. Hence the SASL handshake will still be required from server side.
Attachments
Issue Links
- is required by
-
DRILL-5582 [Threat Modeling] Drillbit may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Drillbit
-
- Resolved
-
- links to
