You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Patrick Hunt <ph...@apache.org> on 2017/02/14 03:37:06 UTC
ZooKeeper DOS exploit published
Hi folks. The following exploit was recently published on the web and has
come to our attention, it details a ZooKeeper DOS attack against certain
four letter words (4lw), possible when the client port is exposed to
untrusted actors:
https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://
www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
Typically we address security issues on the security@ private mailing list,
publishing a fixed release before publicly releasing the exploit, however
in this case given the information is publicly available already we decided
there's little point to keeping it on security@ exclusively.
http://zookeeper.apache.org/security.html
A JIRA has been created to track this issue:
https://issues.apache.org/jira/browse/ZOOKEEPER-2693
we expect to include a patch to address in 3.4.10 and 3.5.3.
Patrick
Re: ZooKeeper DOS exploit published
Posted by Michael Han <ha...@cloudera.com>.
I have a patch for https://issues.apache.org/jira/browse/ZOOKEEPER-2693 (pull
request 179 <https://github.com/apache/zookeeper/pull/179>). Feedback will
be highly appreciated. It would be good that we can get this in a few days
as it is both a security fix and a blocker for two ongoing releases
(3.4.10/3.5.3).
On Mon, Feb 13, 2017 at 7:37 PM, Patrick Hunt <ph...@apache.org> wrote:
> Hi folks. The following exploit was recently published on the web and has
> come to our attention, it details a ZooKeeper DOS attack against certain
> four letter words (4lw), possible when the client port is exposed to
> untrusted actors:
>
> https://webcache.googleusercontent.com/search?
> q=cache:_CNGIz10PRYJ:https://
> www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
>
> Typically we address security issues on the security@ private mailing
> list,
> publishing a fixed release before publicly releasing the exploit, however
> in this case given the information is publicly available already we decided
> there's little point to keeping it on security@ exclusively.
> http://zookeeper.apache.org/security.html
>
> A JIRA has been created to track this issue:
> https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> we expect to include a patch to address in 3.4.10 and 3.5.3.
>
> Patrick
>
--
Cheers
Michael.
Re: ZooKeeper DOS exploit published
Posted by Michael Han <ha...@cloudera.com>.
I have a patch for https://issues.apache.org/jira/browse/ZOOKEEPER-2693 (pull
request 179 <https://github.com/apache/zookeeper/pull/179>). Feedback will
be highly appreciated. It would be good that we can get this in a few days
as it is both a security fix and a blocker for two ongoing releases
(3.4.10/3.5.3).
On Mon, Feb 13, 2017 at 7:37 PM, Patrick Hunt <ph...@apache.org> wrote:
> Hi folks. The following exploit was recently published on the web and has
> come to our attention, it details a ZooKeeper DOS attack against certain
> four letter words (4lw), possible when the client port is exposed to
> untrusted actors:
>
> https://webcache.googleusercontent.com/search?
> q=cache:_CNGIz10PRYJ:https://
> www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
>
> Typically we address security issues on the security@ private mailing
> list,
> publishing a fixed release before publicly releasing the exploit, however
> in this case given the information is publicly available already we decided
> there's little point to keeping it on security@ exclusively.
> http://zookeeper.apache.org/security.html
>
> A JIRA has been created to track this issue:
> https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> we expect to include a patch to address in 3.4.10 and 3.5.3.
>
> Patrick
>
--
Cheers
Michael.