You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Andor Molnar <an...@apache.org> on 2024/03/14 15:52:52 UTC
CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Severity: critical
Affected versions:
- Apache ZooKeeper 3.9.0 through 3.9.1
- Apache ZooKeeper 3.8.0 through 3.8.3
- Apache ZooKeeper 3.6.0 through 3.7.2
Description:
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.
Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
Credit:
周吉安(寒泉) <zh...@alibaba-inc.com> (reporter)
References:
https://zookeeper.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-23944
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Posted by Li Wang <li...@gmail.com>.
Perfect, thanks Andor.
We will patch it ourselves.
Best,
Li
On Thu, Mar 14, 2024 at 1:11 PM Andor Molnar <an...@apache.org> wrote:
> Hi Li,
>
> That's the right ticket.
>
> I've just updated the Jira ticket with the links to the commits.
> There's no PR since it was a security fix, but looks like we forgot to
> add it to the master branch.
>
> Damien, would you please take care of that?
>
> Btw, we don't plan to fix it in the 3.7 release line, but the patch is
> already on the branch for your convenience:
> 29c7b9462681f47c2ac12e609341cf9f52abac5c
>
> Regards,
> Andor
>
>
>
> On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote:
> > Thanks, Andor.
> >
> > Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a
> > JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status
> > is
> > still OPEN and there is no PR link there.
> >
> > https://issues.apache.org/jira/browse/ZOOKEEPER-4799
> >
> > We are in 3.7.2 and may need to patch it ourselves.
> >
> > Best,
> >
> > Li
> >
> >
> >
> > On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org>
> > wrote:
> >
> > > Severity: critical
> > >
> > > Affected versions:
> > >
> > > - Apache ZooKeeper 3.9.0 through 3.9.1
> > > - Apache ZooKeeper 3.8.0 through 3.8.3
> > > - Apache ZooKeeper 3.6.0 through 3.7.2
> > >
> > > Description:
> > >
> > > Information disclosure in persistent watchers handling in Apache
> > > ZooKeeper
> > > due to missing ACL check. It allows an attacker to monitor child
> > > znodes by
> > > attaching a persistent watcher (addWatch command) to a parent which
> > > the
> > > attacker has already access to. ZooKeeper server doesn't do ACL
> > > check when
> > > the persistent watcher is triggered and as a consequence, the full
> > > path of
> > > znodes that a watch event gets triggered upon is exposed to the
> > > owner of
> > > the watcher. It's important to note that only the path is exposed
> > > by this
> > > vulnerability, not the data of znode, but since znode path can
> > > contain
> > > sensitive information like user name or login ID, this issue is
> > > potentially
> > > critical.
> > >
> > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which
> > > fixes the
> > > issue.
> > >
> > > Credit:
> > >
> > > 周吉安(寒泉) <zh...@alibaba-inc.com> (reporter)
> > >
> > > References:
> > >
> > > https://zookeeper.apache.org/
> > > https://www.cve.org/CVERecord?id=CVE-2024-23944
> > >
> > >
>
>
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Posted by Damien Diederen <dd...@apache.org>.
Hi Andor, Li,
> […] add it to the master branch.
>
> Damien, would you please take care of that?
Yes, I will do so.
>> We are in 3.7.2 and may need to patch it ourselves.
>>
> Btw, we don't plan to fix it in the 3.7 release line, but the patch is
> already on the branch for your convenience:
> 29c7b9462681f47c2ac12e609341cf9f52abac5c
Indeed. There was even a release candidate for 3.7.3, which is to be
abandoned. (But see attached email in case it helps.)
Cheers, -D
Andor Molnar <an...@apache.org> writes:
> Hi Li,
>
> That's the right ticket.
>
> I've just updated the Jira ticket with the links to the commits.
> There's no PR since it was a security fix, but looks like we forgot to
> add it to the master branch.
>
> Damien, would you please take care of that?
>
> Btw, we don't plan to fix it in the 3.7 release line, but the patch is
> already on the branch for your convenience:
> 29c7b9462681f47c2ac12e609341cf9f52abac5c
>
> Regards,
> Andor
>
>
>
> On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote:
>> Thanks, Andor.
>>
>> Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a
>> JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status
>> is
>> still OPEN and there is no PR link there.
>>
>> https://issues.apache.org/jira/browse/ZOOKEEPER-4799
>>
>> We are in 3.7.2 and may need to patch it ourselves.
>>
>> Best,
>>
>> Li
>>
>>
>>
>> On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org>
>> wrote:
>>
>> > Severity: critical
>> >
>> > Affected versions:
>> >
>> > - Apache ZooKeeper 3.9.0 through 3.9.1
>> > - Apache ZooKeeper 3.8.0 through 3.8.3
>> > - Apache ZooKeeper 3.6.0 through 3.7.2
>> >
>> > Description:
>> >
>> > Information disclosure in persistent watchers handling in Apache
>> > ZooKeeper
>> > due to missing ACL check. It allows an attacker to monitor child
>> > znodes by
>> > attaching a persistent watcher (addWatch command) to a parent which
>> > the
>> > attacker has already access to. ZooKeeper server doesn't do ACL
>> > check when
>> > the persistent watcher is triggered and as a consequence, the full
>> > path of
>> > znodes that a watch event gets triggered upon is exposed to the
>> > owner of
>> > the watcher. It's important to note that only the path is exposed
>> > by this
>> > vulnerability, not the data of znode, but since znode path can
>> > contain
>> > sensitive information like user name or login ID, this issue is
>> > potentially
>> > critical.
>> >
>> > Users are recommended to upgrade to version 3.9.2, 3.8.4 which
>> > fixes the
>> > issue.
>> >
>> > Credit:
>> >
>> > 周吉安(寒泉) <zh...@alibaba-inc.com> (reporter)
>> >
>> > References:
>> >
>> > https://zookeeper.apache.org/
>> > https://www.cve.org/CVERecord?id=CVE-2024-23944
>> >
>> >
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Posted by Andor Molnar <an...@apache.org>.
Hi Li,
That's the right ticket.
I've just updated the Jira ticket with the links to the commits.
There's no PR since it was a security fix, but looks like we forgot to
add it to the master branch.
Damien, would you please take care of that?
Btw, we don't plan to fix it in the 3.7 release line, but the patch is
already on the branch for your convenience:
29c7b9462681f47c2ac12e609341cf9f52abac5c
Regards,
Andor
On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote:
> Thanks, Andor.
>
> Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a
> JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status
> is
> still OPEN and there is no PR link there.
>
> https://issues.apache.org/jira/browse/ZOOKEEPER-4799
>
> We are in 3.7.2 and may need to patch it ourselves.
>
> Best,
>
> Li
>
>
>
> On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org>
> wrote:
>
> > Severity: critical
> >
> > Affected versions:
> >
> > - Apache ZooKeeper 3.9.0 through 3.9.1
> > - Apache ZooKeeper 3.8.0 through 3.8.3
> > - Apache ZooKeeper 3.6.0 through 3.7.2
> >
> > Description:
> >
> > Information disclosure in persistent watchers handling in Apache
> > ZooKeeper
> > due to missing ACL check. It allows an attacker to monitor child
> > znodes by
> > attaching a persistent watcher (addWatch command) to a parent which
> > the
> > attacker has already access to. ZooKeeper server doesn't do ACL
> > check when
> > the persistent watcher is triggered and as a consequence, the full
> > path of
> > znodes that a watch event gets triggered upon is exposed to the
> > owner of
> > the watcher. It's important to note that only the path is exposed
> > by this
> > vulnerability, not the data of znode, but since znode path can
> > contain
> > sensitive information like user name or login ID, this issue is
> > potentially
> > critical.
> >
> > Users are recommended to upgrade to version 3.9.2, 3.8.4 which
> > fixes the
> > issue.
> >
> > Credit:
> >
> > 周吉安(寒泉) <zh...@alibaba-inc.com> (reporter)
> >
> > References:
> >
> > https://zookeeper.apache.org/
> > https://www.cve.org/CVERecord?id=CVE-2024-23944
> >
> >
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Posted by Li Wang <li...@gmail.com>.
Thanks, Andor.
Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a
JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status is
still OPEN and there is no PR link there.
https://issues.apache.org/jira/browse/ZOOKEEPER-4799
We are in 3.7.2 and may need to patch it ourselves.
Best,
Li
On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org> wrote:
> Severity: critical
>
> Affected versions:
>
> - Apache ZooKeeper 3.9.0 through 3.9.1
> - Apache ZooKeeper 3.8.0 through 3.8.3
> - Apache ZooKeeper 3.6.0 through 3.7.2
>
> Description:
>
> Information disclosure in persistent watchers handling in Apache ZooKeeper
> due to missing ACL check. It allows an attacker to monitor child znodes by
> attaching a persistent watcher (addWatch command) to a parent which the
> attacker has already access to. ZooKeeper server doesn't do ACL check when
> the persistent watcher is triggered and as a consequence, the full path of
> znodes that a watch event gets triggered upon is exposed to the owner of
> the watcher. It's important to note that only the path is exposed by this
> vulnerability, not the data of znode, but since znode path can contain
> sensitive information like user name or login ID, this issue is potentially
> critical.
>
> Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the
> issue.
>
> Credit:
>
> 周吉安(寒泉) <zh...@alibaba-inc.com> (reporter)
>
> References:
>
> https://zookeeper.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2024-23944
>
>
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Posted by Li Wang <li...@gmail.com>.
Thanks, Andor.
Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a
JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status is
still OPEN and there is no PR link there.
https://issues.apache.org/jira/browse/ZOOKEEPER-4799
We are in 3.7.2 and may need to patch it ourselves.
Best,
Li
On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org> wrote:
> Severity: critical
>
> Affected versions:
>
> - Apache ZooKeeper 3.9.0 through 3.9.1
> - Apache ZooKeeper 3.8.0 through 3.8.3
> - Apache ZooKeeper 3.6.0 through 3.7.2
>
> Description:
>
> Information disclosure in persistent watchers handling in Apache ZooKeeper
> due to missing ACL check. It allows an attacker to monitor child znodes by
> attaching a persistent watcher (addWatch command) to a parent which the
> attacker has already access to. ZooKeeper server doesn't do ACL check when
> the persistent watcher is triggered and as a consequence, the full path of
> znodes that a watch event gets triggered upon is exposed to the owner of
> the watcher. It's important to note that only the path is exposed by this
> vulnerability, not the data of znode, but since znode path can contain
> sensitive information like user name or login ID, this issue is potentially
> critical.
>
> Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the
> issue.
>
> Credit:
>
> 周吉安(寒泉) <zh...@alibaba-inc.com> (reporter)
>
> References:
>
> https://zookeeper.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2024-23944
>
>