1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache ZooKeeper</title>
<link rel="stylesheet" href="css/bootstrap.min.css" />
<script src="js/jquery-3.3.1.slim.min.js"></script>
<script src="js/popper.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<link rel="stylesheet" href="css/site.css" />
<link rel="stylesheet" href="css/print.css" media="print" />
<link rel="shortcut icon" href="images/favicon.ico">
</head>
<body class="topBarEnabled">
<nav class="navbar navbar-expand-lg navbar-light bg-light">
<a class="navbar-brand" href="index.html"><img src="images/zookeeper_small.gif" height="55px"/>Apache ZooKeeper™</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav mr-auto">
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
Project
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="releases.html#news">News</a>
<a class="dropdown-item" href="releases.html">Releases</a>
<a class="dropdown-item" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Index">Wiki</a>
<a class="dropdown-item" href="credits.html">Credits</a>
<a class="dropdown-item" href="bylaws.html">Bylaws</a>
<a class="dropdown-item" href="https://www.apache.org/licenses/">License</a>
<a class="dropdown-item" href="privacy.html">Privacy Policy</a>
<a class="dropdown-item" href="security.html">Security</a>
<a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a>
</div>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
Documentation
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="doc/r3.8.0/index.html">Release 3.8.0</a>
<a class="dropdown-item" href="doc/r3.7.1/index.html">Release 3.7.1</a>
<a class="dropdown-item" href="doc/r3.6.4/index.html">Release 3.6.4</a>
<a class="dropdown-item" href="doc/r3.5.10/index.html">Release 3.5.10</a>
<a class="dropdown-item" href="doc/r3.4.14">Release 3.4.14</a>
<a class="dropdown-item" href="documentation.html">Older Versions</a>
</div>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
Developers
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="lists.html">Mailing Lists</a>
<a class="dropdown-item" href="irc.html">IRC Channel</a>
<a class="dropdown-item" href="git.html">Version Control</a>
<a class="dropdown-item" href="https://issues.apache.org/jira/browse/ZOOKEEPER">Issue Tracker</a>
<a class="dropdown-item" href="events.html">Events</a>
</div>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
ASF
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="https://www.apache.org/foundation/" target="_blank" title="Apache Software Foundation">Apache Software Foundation</a>
<a class="dropdown-item" href="https://www.apache.org/foundation/how-it-works.html" target="_blank" title="How Apache Works">How Apache Works</a>
<a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html" target="_blank" title="Sponsoring Apache">Sponsoring Apache</a>
</div>
</li>
</ul>
</div>
</nav>
<div class="container">
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
//-->
<h1>ZooKeeper Security</h1>
<p>The Apache Software Foundation takes security issues very seriously. Due to the infrastructure nature of the Apache ZooKeeper project specifically, we haven't had many reports over time, but it doesn't mean that we haven't had concerns over some bugs and vulnerabilities. If you have any concern or believe you have uncovered a vulnerability, we suggest that you get in touch via the e-mail address <a href="mailto:security@zookeeper.apache.org?Subject=[SECURITY] My security issue"
target="_top">security@zookeeper.apache.org</a>. In the message, try to provide a description of the issue and ideally a way of reproducing it. Note that this security address should be used only for undisclosed vulnerabilities. Dealing with known issues should be handled regularly via jira and the mailing lists. <strong>Please report any security problems to the project security address before disclosing it publicly.</strong></p>
<p>The ASF Security team maintains a page with a description of how vulnerabilities are handled, check their <a href="https://www.apache.org/security/">Web page</a> for more information.</p>
<h2>Vulnerability reports</h2>
<ul>
<li><a href="#CVE-2019-0201">CVE-2019-0201: Information disclosure vulnerability in Apache ZooKeeper</a></li>
<li><a href="#CVE-2018-8012">CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</a></li>
<li><a href="#CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</a></li>
<li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a></li>
</ul>
<p><a name="CVE-2019-0201"></a></p>
<h3>CVE-2019-0201: Information disclosure vulnerability in Apache ZooKeeper</h3>
<p>Severity: Critical</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: ZooKeeper prior to 3.4.14 ZooKeeper 3.5.0-alpha through 3.5.4-beta. The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected.</p>
<p>Description: ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.</p>
<p>Mitigation: Use an authentication method other than Digest (e.g. Kerberos) or upgrade to 3.4.14 or later (3.5.5 or later if on the 3.5 branch).</p>
<p>Credit: This issue was identified by Harrison Neal <a href="mailto:harrison@patchadvisor.com">harrison@patchadvisor.com</a> PatchAdvisor, Inc.</p>
<p>References: https://issues.apache.org/jira/browse/ZOOKEEPER-1392</p>
<p><a name="CVE-2018-8012"></a></p>
<h3>CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</h3>
<p>Severity: Critical</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: ZooKeeper prior to 3.4.10 ZooKeeper 3.5.0-alpha through 3.5.3-beta The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
<p>Description: No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.</p>
<p>Mitigation: Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and enable Quorum Peer mutual authentication.</p>
<p>Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.</p>
<p>See the documentation for more details on correct cluster administration.</p>
<p>Credit: This issue was identified by Földi Tamás and Eugene Koontz</p>
<p>References: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication https://zookeeper.apache.org/doc/current/zookeeperAdmin.html</p>
<p><a name="CVE-2017-5637"></a></p>
<h3>CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw) {#CVE-2017-5637}</h3>
<p>Severity: moderate</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: ZooKeeper 3.4.0 to 3.4.9 ZooKeeper 3.5.0 to 3.5.2 The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
<p>Note: The 3.5 branch is still beta at this time.</p>
<p>Description: Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.</p>
<p>Mitigation: This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall. Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable "wchp/wchc” commands by default. - ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch. - ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.</p>
<p>References [1] https://issues.apache.org/jira/browse/ZOOKEEPER-2693</p>
<p><a name="CVE-2016-5017"></a></p>
<h3>CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell {#CVE-2016-5017}</h3>
<p>Severity: moderate</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: ZooKeeper 3.4.0 to 3.4.8 ZooKeeper 3.5.0 to 3.5.2 The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
<p>Note: The 3.5 branch is still alpha at this time.</p>
<p>Description: The ZooKeeper C client shells "cli_st" and "cli_mt" have a buffer overflow vulnerability associated with parsing of the input command when using the "cmd:<cmd>" batch mode syntax. If the command string exceeds 1024 characters a buffer overflow will occur. There is no known compromise which takes advantage of this vulnerability, and if security is enabled the attacker would be limited by client level security constraints. The C cli shell is intended as a sample/example of how to use the C client interface, not as a production tool - the documentation has also been clarified on this point.</p>
<p>Mitigation: It is important to use the fully featured/supported Java cli shell rather than the C cli shell independent of version.</p>
<ul>
<li>
<p>ZooKeeper 3.4.x users should upgrade to 3.4.9 or apply this <a href="https://gitbox.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f">patch</a></p>
</li>
<li>
<p>ZooKeeper 3.5.x users should upgrade to 3.5.3 when released or apply this <a href="https://gitbox.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=f09154d6648eeb4ec5e1ac8a2bacbd2f8c87c14a">patch</a></p>
</li>
</ul>
<p>The patch solves the problem reported here, but it does not make the client ready for production use. The community has no plan to make this client production ready at this time, and strongly recommends that users move to the Java cli and use the C cli for illustration purposes only.</p>
<p>Credit: This issue was discovered by Lyon Yang (@l0Op3r)</p>
<p>References: <a href="https://zookeeper.apache.org/security.html">Apache ZooKeeper Security Page</a></p>
</div>
<footer>
<div class="row">
<div class="col">Copyright © 2010-2020
<a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br>
Apache ZooKeeper, ZooKeeper, Apache, the Apache feather logo, and the Apache ZooKeeper project logo are trademarks of The Apache Software Foundation.
</div>
<div class="col-sm-2">
<a href="https://apache.org" id="bannerRight">
<img src="images/asf-logo-with-feather.png" height="83px"/>
</a>
</div>
</div>
</footer>
</body>
</html>
|
