You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by Patrick Hunt <ph...@apache.org> on 2018/05/21 16:51:42 UTC

[CVE-2018-8012] Apache ZooKeeper Quorum Peer mutual authentication

CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
ZooKeeper prior to 3.4.10
ZooKeeper 3.5.0-alpha through 3.5.3-beta
The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected

Description:
No authentication/authorization is enforced when a server attempts to join
a quorum. As a result an arbitrary end point could join the cluster and
begin propagating counterfeit changes to the leader.

Mitigation:
Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and
enable Quorum Peer mutual authentication.

Alternately ensure the ensemble election/quorum communication is protected
by a firewall as this will mitigate the issue.

See the documentation for more details on correct cluster administration.

Credit:
This issue was identified by Földi Tamás and Eugene Koontz

References:
https://issues.apache.org/jira/browse/ZOOKEEPER-1045
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
http://zookeeper.apache.org/doc/current/zookeeperAdmin.html

Re: [CVE-2018-8012] Apache ZooKeeper Quorum Peer mutual authentication

Posted by Patrick Hunt <ph...@apache.org>.

I missed that step. It's updated now. Thanks!

Patrick

On Mon, May 21, 2018 at 10:27 AM s n <sv...@gmail.com> wrote:

> Is it possible to add it to this page
> https://zookeeper.apache.org/security.html
>
>
> On Mon, May 21, 2018 at 9:51 AM, Patrick Hunt <ph...@apache.org> wrote:
>
> > CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication
> >
> > Severity: Critical
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > ZooKeeper prior to 3.4.10
> > ZooKeeper 3.5.0-alpha through 3.5.3-beta
> > The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected
> >
> > Description:
> > No authentication/authorization is enforced when a server attempts to
> join
> > a quorum. As a result an arbitrary end point could join the cluster and
> > begin propagating counterfeit changes to the leader.
> >
> > Mitigation:
> > Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and
> > enable Quorum Peer mutual authentication.
> >
> > Alternately ensure the ensemble election/quorum communication is
> protected
> > by a firewall as this will mitigate the issue.
> >
> > See the documentation for more details on correct cluster administration.
> >
> > Credit:
> > This issue was identified by Földi Tamás and Eugene Koontz
> >
> > References:
> > https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> > Server-Server+mutual+authentication
> > http://zookeeper.apache.org/doc/current/zookeeperAdmin.html
> >
>

Re: [CVE-2018-8012] Apache ZooKeeper Quorum Peer mutual authentication

Posted by s n <sv...@gmail.com>.

Is it possible to add it to this page
https://zookeeper.apache.org/security.html


On Mon, May 21, 2018 at 9:51 AM, Patrick Hunt <ph...@apache.org> wrote:

> CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication
>
> Severity: Critical
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> ZooKeeper prior to 3.4.10
> ZooKeeper 3.5.0-alpha through 3.5.3-beta
> The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected
>
> Description:
> No authentication/authorization is enforced when a server attempts to join
> a quorum. As a result an arbitrary end point could join the cluster and
> begin propagating counterfeit changes to the leader.
>
> Mitigation:
> Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and
> enable Quorum Peer mutual authentication.
>
> Alternately ensure the ensemble election/quorum communication is protected
> by a firewall as this will mitigate the issue.
>
> See the documentation for more details on correct cluster administration.
>
> Credit:
> This issue was identified by Földi Tamás and Eugene Koontz
>
> References:
> https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> Server-Server+mutual+authentication
> http://zookeeper.apache.org/doc/current/zookeeperAdmin.html
>