You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by "Fu, Xiaoqin" <xi...@wsu.edu> on 2019/08/09 15:49:17 UTC
An Apache Zookeeper Security Vulnerability
Dear developers:
I am a Ph.D. student at Washington State University. I applied dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5, from tainted paths.
Possible information leakage from FileTxnSnapLog to log without LOG control LOG.isDebugEnabled():
In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement LOG.debug don't have LOG controls:
public void processTransaction(TxnHeader hdr,DataTree dt,
Map<Long, Integer> sessions, Record txn)
throws KeeperException.NoNodeException {
......
if (rc.err != Code.OK.intValue()) {
LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
+ ", error: " + rc.err + ", path: " + rc.path);
}
......
}
Sensitive information about hdr type or rc path may be leaked. The conditional statement LOG.isDebugEnabled() should be added:
public void processTransaction(TxnHeader hdr,DataTree dt,
Map<Long, Integer> sessions, Record txn)
throws KeeperException.NoNodeException {
......
if (rc.err != Code.OK.intValue()) {
if (LOG.isDebugEnabled())
LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
+ ", error: " + rc.err + ", path: " + rc.path);
}
......
}
Please help me confirm it and give it a CVE ID.
Thank you very much!
Yours sincerely
Xiaoqin Fu
Re: An Apache Zookeeper Security Vulnerability
Posted by Norbert Kalmar <nk...@cloudera.com.INVALID>.
Hello Xiaoqin,
My understanding is that log guards is used for performance reasons. I
don't see how it can prevent information leakage.
I'd also like to add, that please use the security mailing list first if
you think you found a CVE. - security@zookeeper.apache.org
More info here:
https://zookeeper.apache.org/security.html
Thank you!
Regards,
Norbert
On Sat, Aug 10, 2019 at 1:31 AM Patrick Hunt <ph...@apache.org> wrote:
> On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli <eo...@gmail.com>
> wrote:
>
> > Those points do not seem a security issue
> >
> >
> Agree. First off the data is not sensitive. Also it's debug level and
> logged on the server. See
> https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation
> although in this case debug is not the default - user would actively have
> to turn this on.
>
> Patrick
>
>
> >
> > Enrico
> >
> >
> > Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xi...@wsu.edu> ha scritto:
> >
> > > Dear developers:
> > > I am a Ph.D. student at Washington State University. I applied
> > > dynamic taint analyzer (distTaint) to Apache Zookeeper (version
> 3.4.11).
> > > And then I find a security vulnerability, that exists from
> 3.4.11-3.4.14
> > > and 3.5.5, from tainted paths.
> > >
> > > Possible information leakage from FileTxnSnapLog to log without LOG
> > > control LOG.isDebugEnabled():
> > > In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the
> statement
> > > LOG.debug don't have LOG controls:
> > > public void processTransaction(TxnHeader hdr,DataTree dt,
> > > Map<Long, Integer> sessions, Record txn)
> > > throws KeeperException.NoNodeException {
> > > ......
> > > if (rc.err != Code.OK.intValue()) {
> > > LOG.debug("Ignoring processTxn failure hdr:" +
> hdr.getType()
> > > + ", error: " + rc.err + ", path: " + rc.path);
> > > }
> > > ......
> > > }
> > >
> > > Sensitive information about hdr type or rc path may be leaked. The
> > > conditional statement LOG.isDebugEnabled() should be added:
> > > public void processTransaction(TxnHeader hdr,DataTree dt,
> > > Map<Long, Integer> sessions, Record txn)
> > > throws KeeperException.NoNodeException {
> > > ......
> > > if (rc.err != Code.OK.intValue()) {
> > > if (LOG.isDebugEnabled())
> > > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> > > + ", error: " + rc.err + ", path: " + rc.path);
> > > }
> > > ......
> > > }
> > > Please help me confirm it and give it a CVE ID.
> > >
> > > Thank you very much!
> > > Yours sincerely
> > > Xiaoqin Fu
> > >
> > >
> >
>
Re: An Apache Zookeeper Security Vulnerability
Posted by Patrick Hunt <ph...@apache.org>.
On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli <eo...@gmail.com> wrote:
> Those points do not seem a security issue
>
>
Agree. First off the data is not sensitive. Also it's debug level and
logged on the server. See
https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation
although in this case debug is not the default - user would actively have
to turn this on.
Patrick
>
> Enrico
>
>
> Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xi...@wsu.edu> ha scritto:
>
> > Dear developers:
> > I am a Ph.D. student at Washington State University. I applied
> > dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
> > And then I find a security vulnerability, that exists from 3.4.11-3.4.14
> > and 3.5.5, from tainted paths.
> >
> > Possible information leakage from FileTxnSnapLog to log without LOG
> > control LOG.isDebugEnabled():
> > In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> > LOG.debug don't have LOG controls:
> > public void processTransaction(TxnHeader hdr,DataTree dt,
> > Map<Long, Integer> sessions, Record txn)
> > throws KeeperException.NoNodeException {
> > ......
> > if (rc.err != Code.OK.intValue()) {
> > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> > + ", error: " + rc.err + ", path: " + rc.path);
> > }
> > ......
> > }
> >
> > Sensitive information about hdr type or rc path may be leaked. The
> > conditional statement LOG.isDebugEnabled() should be added:
> > public void processTransaction(TxnHeader hdr,DataTree dt,
> > Map<Long, Integer> sessions, Record txn)
> > throws KeeperException.NoNodeException {
> > ......
> > if (rc.err != Code.OK.intValue()) {
> > if (LOG.isDebugEnabled())
> > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> > + ", error: " + rc.err + ", path: " + rc.path);
> > }
> > ......
> > }
> > Please help me confirm it and give it a CVE ID.
> >
> > Thank you very much!
> > Yours sincerely
> > Xiaoqin Fu
> >
> >
>
Re: An Apache Zookeeper Security Vulnerability
Posted by Patrick Hunt <ph...@apache.org>.
On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli <eo...@gmail.com> wrote:
> Those points do not seem a security issue
>
>
Agree. First off the data is not sensitive. Also it's debug level and
logged on the server. See
https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation
although in this case debug is not the default - user would actively have
to turn this on.
Patrick
>
> Enrico
>
>
> Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xi...@wsu.edu> ha scritto:
>
> > Dear developers:
> > I am a Ph.D. student at Washington State University. I applied
> > dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
> > And then I find a security vulnerability, that exists from 3.4.11-3.4.14
> > and 3.5.5, from tainted paths.
> >
> > Possible information leakage from FileTxnSnapLog to log without LOG
> > control LOG.isDebugEnabled():
> > In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> > LOG.debug don't have LOG controls:
> > public void processTransaction(TxnHeader hdr,DataTree dt,
> > Map<Long, Integer> sessions, Record txn)
> > throws KeeperException.NoNodeException {
> > ......
> > if (rc.err != Code.OK.intValue()) {
> > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> > + ", error: " + rc.err + ", path: " + rc.path);
> > }
> > ......
> > }
> >
> > Sensitive information about hdr type or rc path may be leaked. The
> > conditional statement LOG.isDebugEnabled() should be added:
> > public void processTransaction(TxnHeader hdr,DataTree dt,
> > Map<Long, Integer> sessions, Record txn)
> > throws KeeperException.NoNodeException {
> > ......
> > if (rc.err != Code.OK.intValue()) {
> > if (LOG.isDebugEnabled())
> > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> > + ", error: " + rc.err + ", path: " + rc.path);
> > }
> > ......
> > }
> > Please help me confirm it and give it a CVE ID.
> >
> > Thank you very much!
> > Yours sincerely
> > Xiaoqin Fu
> >
> >
>
Re: An Apache Zookeeper Security Vulnerability
Posted by Enrico Olivelli <eo...@gmail.com>.
Those points do not seem a security issue
Enrico
Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xi...@wsu.edu> ha scritto:
> Dear developers:
> I am a Ph.D. student at Washington State University. I applied
> dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
> And then I find a security vulnerability, that exists from 3.4.11-3.4.14
> and 3.5.5, from tainted paths.
>
> Possible information leakage from FileTxnSnapLog to log without LOG
> control LOG.isDebugEnabled():
> In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> LOG.debug don't have LOG controls:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
>
> Sensitive information about hdr type or rc path may be leaked. The
> conditional statement LOG.isDebugEnabled() should be added:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> if (LOG.isDebugEnabled())
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
> Please help me confirm it and give it a CVE ID.
>
> Thank you very much!
> Yours sincerely
> Xiaoqin Fu
>
>
Re: An Apache Zookeeper Security Vulnerability
Posted by Enrico Olivelli <eo...@gmail.com>.
Those points do not seem a security issue
Enrico
Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xi...@wsu.edu> ha scritto:
> Dear developers:
> I am a Ph.D. student at Washington State University. I applied
> dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
> And then I find a security vulnerability, that exists from 3.4.11-3.4.14
> and 3.5.5, from tainted paths.
>
> Possible information leakage from FileTxnSnapLog to log without LOG
> control LOG.isDebugEnabled():
> In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> LOG.debug don't have LOG controls:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
>
> Sensitive information about hdr type or rc path may be leaked. The
> conditional statement LOG.isDebugEnabled() should be added:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> if (LOG.isDebugEnabled())
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
> Please help me confirm it and give it a CVE ID.
>
> Thank you very much!
> Yours sincerely
> Xiaoqin Fu
>
>