diff options
author | Patrick Hunt <phunt@apache.org> | 2018-05-21 10:44:33 -0700 |
---|---|---|
committer | Patrick Hunt <phunt@apache.org> | 2018-05-21 10:44:33 -0700 |
commit | 25086098ef361dacd00da29742618b1c73c6c1e5 (patch) | |
tree | 7e0e9d23b120e81586e78a6eb8e06fd8a057b6ca | |
parent | ec4ec1407fbf955a8c6c87b356806d8cf9c45830 (diff) | |
download | zookeeper-25086098ef361dacd00da29742618b1c73c6c1e5.tar.gz |
Updated the security page for CVE-2018-8012
Change-Id: I9ccf0df38f14863e2ad81cecdf4b50fe0d474a86
-rw-r--r-- | content/security.html | 93 |
1 files changed, 62 insertions, 31 deletions
diff --git a/content/security.html b/content/security.html index ffb42bc52..d441a6d12 100644 --- a/content/security.html +++ b/content/security.html @@ -35,10 +35,71 @@ <h2 id="vulnerability-reports">Vulnerability reports</h2> <ul> - <li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a></li> + <li><a href="#CVE-2018-8012">CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</a></li> <li><a href="#CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</a></li> + <li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a></li> +</ul> + +<h3 id="cve-2018-8012-apache-zookeeper-quorum-peer-mutual-authentication">CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</h3> + +<p>Severity: Critical</p> + +<p>Vendor: +The Apache Software Foundation</p> + +<p>Versions Affected: +ZooKeeper prior to 3.4.10 +ZooKeeper 3.5.0-alpha through 3.5.3-beta +The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p> + +<p>Description: +No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.</p> + +<p>Mitigation: +Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and enable Quorum Peer mutual authentication.</p> + +<p>Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.</p> + +<p>See the documentation for more details on correct cluster administration.</p> + +<p>Credit: +This issue was identified by Földi Tamás and Eugene Koontz</p> + +<p>References: +https://issues.apache.org/jira/browse/ZOOKEEPER-1045 +https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication +http://zookeeper.apache.org/doc/current/zookeeperAdmin.html</p> + +<h3 id="CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</h3> + +<p>Severity: moderate</p> + +<p>Vendor: +The Apache Software Foundation</p> + +<p>Versions Affected: +ZooKeeper 3.4.0 to 3.4.9 +ZooKeeper 3.5.0 to 3.5.2 +The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p> + +<p>Note: The 3.5 branch is still beta at this time.</p> + +<p>Description: +Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused, +which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.</p> + +<p>Mitigation: +This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall. +Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable “wchp/wchc” commands +by default.</p> +<ul> + <li>ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch.</li> + <li>ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.</li> </ul> +<p>References +[1] https://issues.apache.org/jira/browse/ZOOKEEPER-2693</p> + <h3 id="CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</h3> <p>Severity: moderate</p> @@ -89,36 +150,6 @@ This issue was discovered by Lyon Yang (@l0Op3r)</p> <p>References: <a href="https://zookeeper.apache.org/security.html">Apache ZooKeeper Security Page</a></p> -<h3 id="CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</h3> - -<p>Severity: moderate</p> - -<p>Vendor: -The Apache Software Foundation</p> - -<p>Versions Affected: -ZooKeeper 3.4.0 to 3.4.9 -ZooKeeper 3.5.0 to 3.5.2 -The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p> - -<p>Note: The 3.5 branch is still beta at this time.</p> - -<p>Description: -Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused, -which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.</p> - -<p>Mitigation: -This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall. -Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable “wchp/wchc” commands -by default.</p> -<ul> - <li>ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch.</li> - <li>ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.</li> -</ul> - -<p>References -[1] https://issues.apache.org/jira/browse/ZOOKEEPER-2693</p> - </div> </td> |