You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by hanm <gi...@git.apache.org> on 2017/03/06 21:09:53 UTC
[GitHub] zookeeper pull request #183: ZOOKEEPER-2693: DOS attack on wchp/wchc four le...
GitHub user hanm opened a pull request:
https://github.com/apache/zookeeper/pull/183
ZOOKEEPER-2693: DOS attack on wchp/wchc four letter words (4lw).
Similar as pull request 179, this PR introduces new property zookeeper.4lw.commands.whitelist to branch-3.4.
Unlike branch-3.5 where all 4lw (with few exceptions) is disabled by default, for branch-3.4 only "wchp" and "wchc" are disabled by default - since 4lw is widely used and there is no alternatives in branch-3.4 so we just disable the exploitable ones.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/hanm/zookeeper ZOOKEEPER-2693-br-3.4
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/183.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #183
----
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] zookeeper pull request #183: ZOOKEEPER-2693: DOS attack on wchp/wchc four le...
Posted by hanm <gi...@git.apache.org>.
Github user hanm commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/183#discussion_r104579958
--- Diff: src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml ---
@@ -1042,6 +1042,40 @@ server.3=zoo3:2888:3888</programlisting>
</note>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>4lw.commands.whitelist</term>
+
+ <listitem>
+ <para>(Java system property: <emphasis
+ role="bold">zookeeper.4lw.commands.whitelist</emphasis>)</para>
+
+ <para><emphasis role="bold">New in 3.4.10:</emphasis>
+ This property contains a list of comma separated
+ <ulink url="#sc_4lw">Four Letter Words</ulink> commands. It is introduced
+ to provide fine grained control over the set of commands ZooKeeper can execute,
+ so users can turn off certain commands if necessary.
+ By default it contains all supported four letter word commands except "wchp" and "wchc",
+ if the property is not specified. If the property is specified, then only commands listed
+ in the whitelist are enabled.
+ </para>
+
+ <para>Here's an example of the configuration that enables stat, ruok, conf, and isro
+ command while disabling the rest of Four Letter Words command:</para>
+ <programlisting>
+ 4lw.commands.whitelist=stat, ruok, conf, isro
+ </programlisting>
+
+ <para>Users can also use asterisk option so they don't have to include every command one by one in the list.
+ As an example, this will enable all four letter word commands:
+ </para>
+ <programlisting>
+ 4lw.commands.whitelist=*
+ </programlisting>
+
+ </listitem>
+ </varlistentry>
+
</variablelist>
--- End diff --
Included.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] zookeeper issue #183: ZOOKEEPER-2693: DOS attack on wchp/wchc four letter wo...
Posted by rakeshadr <gi...@git.apache.org>.
Github user rakeshadr commented on the issue:
https://github.com/apache/zookeeper/pull/183
Thanks @hanm. +1 LGTM
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] zookeeper pull request #183: ZOOKEEPER-2693: DOS attack on wchp/wchc four le...
Posted by hanm <gi...@git.apache.org>.
Github user hanm closed the pull request at:
https://github.com/apache/zookeeper/pull/183
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] zookeeper pull request #183: ZOOKEEPER-2693: DOS attack on wchp/wchc four le...
Posted by rakeshadr <gi...@git.apache.org>.
Github user rakeshadr commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/183#discussion_r104572803
--- Diff: src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml ---
@@ -1042,6 +1042,40 @@ server.3=zoo3:2888:3888</programlisting>
</note>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>4lw.commands.whitelist</term>
+
+ <listitem>
+ <para>(Java system property: <emphasis
+ role="bold">zookeeper.4lw.commands.whitelist</emphasis>)</para>
+
+ <para><emphasis role="bold">New in 3.4.10:</emphasis>
+ This property contains a list of comma separated
+ <ulink url="#sc_4lw">Four Letter Words</ulink> commands. It is introduced
+ to provide fine grained control over the set of commands ZooKeeper can execute,
+ so users can turn off certain commands if necessary.
+ By default it contains all supported four letter word commands except "wchp" and "wchc",
+ if the property is not specified. If the property is specified, then only commands listed
+ in the whitelist are enabled.
+ </para>
+
+ <para>Here's an example of the configuration that enables stat, ruok, conf, and isro
+ command while disabling the rest of Four Letter Words command:</para>
+ <programlisting>
+ 4lw.commands.whitelist=stat, ruok, conf, isro
+ </programlisting>
+
+ <para>Users can also use asterisk option so they don't have to include every command one by one in the list.
+ As an example, this will enable all four letter word commands:
+ </para>
+ <programlisting>
+ 4lw.commands.whitelist=*
+ </programlisting>
+
+ </listitem>
+ </varlistentry>
+
</variablelist>
--- End diff --
The below section is not included in br-3.4 patch, can we include this also?
```
+ <varlistentry>
+ <term>Publicly accessible deployment</term>
+ <listitem>
+ <para>
+ A ZooKeeper ensemble is expected to operate in a trusted computing environment.
+ It is thus recommended to deploy ZooKeeper behind a firewall.
+ </para>
+ </listitem>
+ </varlistentry>
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---