Updated the security page for CVE-2018-8012

Change-Id: I9ccf0df38f14863e2ad81cecdf4b50fe0d474a86

1 files changed, 62 insertions, 31 deletions

diff --git a/content/security.html b/content/security.html
index ffb42bc52..d441a6d12 100644
--- a/content/security.html
+++ b/content/security.html
@@ -35,10 +35,71 @@
 <h2 id="vulnerability-reports">Vulnerability reports</h2>
 
 <ul>
-  <li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a></li>
+  <li><a href="#CVE-2018-8012">CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</a></li>
   <li><a href="#CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</a></li>
+  <li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a></li>
+</ul>
+
+<h3 id="cve-2018-8012-apache-zookeeper-quorum-peer-mutual-authentication">CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</h3>
+
+<p>Severity: Critical</p>
+
+<p>Vendor:
+The Apache Software Foundation</p>
+
+<p>Versions Affected:
+ZooKeeper prior to 3.4.10
+ZooKeeper 3.5.0-alpha through 3.5.3-beta
+The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
+
+<p>Description:
+No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.</p>
+
+<p>Mitigation:
+Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and enable Quorum Peer mutual authentication.</p>
+
+<p>Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.</p>
+
+<p>See the documentation for more details on correct cluster administration.</p>
+
+<p>Credit:
+This issue was identified by Földi Tamás and Eugene Koontz</p>
+
+<p>References:
+https://issues.apache.org/jira/browse/ZOOKEEPER-1045
+https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
+http://zookeeper.apache.org/doc/current/zookeeperAdmin.html</p>
+
+<h3 id="CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</h3>
+
+<p>Severity: moderate</p>
+
+<p>Vendor:
+The Apache Software Foundation</p>
+
+<p>Versions Affected:
+ZooKeeper 3.4.0 to 3.4.9
+ZooKeeper 3.5.0 to 3.5.2
+The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
+
+<p>Note: The 3.5 branch is still beta at this time.</p>
+
+<p>Description:
+Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused,
+which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.</p>
+
+<p>Mitigation:
+This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall.
+Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable &#8220;wchp/wchc” commands
+by default.</p>
+<ul>
+  <li>ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch.</li>
+  <li>ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.</li>
 </ul>
 
+<p>References
+[1] https://issues.apache.org/jira/browse/ZOOKEEPER-2693</p>
+
 <h3 id="CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</h3>
 
 <p>Severity: moderate</p>
@@ -89,36 +150,6 @@ This issue was discovered by Lyon Yang (@l0Op3r)</p>
 <p>References:
 <a href="https://zookeeper.apache.org/security.html">Apache ZooKeeper Security Page</a></p>
 
-<h3 id="CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</h3>
-
-<p>Severity: moderate</p>
-
-<p>Vendor:
-The Apache Software Foundation</p>
-
-<p>Versions Affected:
-ZooKeeper 3.4.0 to 3.4.9
-ZooKeeper 3.5.0 to 3.5.2
-The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
-
-<p>Note: The 3.5 branch is still beta at this time.</p>
-
-<p>Description:
-Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused,
-which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.</p>
-
-<p>Mitigation:
-This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall.
-Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable &#8220;wchp/wchc” commands
-by default.</p>
-<ul>
-  <li>ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch.</li>
-  <li>ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.</li>
-</ul>
-
-<p>References
-[1] https://issues.apache.org/jira/browse/ZOOKEEPER-2693</p>
-
 
                       </div>
                     </td>