You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by ph...@apache.org on 2017/10/09 17:26:41 UTC

svn commit: r1811586 - /zookeeper/site/trunk/content/security.textile

Author: phunt
Date: Mon Oct  9 17:26:41 2017
New Revision: 1811586

URL: http://svn.apache.org/viewvc?rev=1811586&view=rev
Log:
Documented CVE-2017-5637

Modified:
    zookeeper/site/trunk/content/security.textile

Modified: zookeeper/site/trunk/content/security.textile
URL: http://svn.apache.org/viewvc/zookeeper/site/trunk/content/security.textile?rev=1811586&r1=1811585&r2=1811586&view=diff
==============================================================================
--- zookeeper/site/trunk/content/security.textile (original)
+++ zookeeper/site/trunk/content/security.textile Mon Oct  9 17:26:41 2017
@@ -25,6 +25,7 @@ The ASF Security team maintains a page w
 h2. Vulnerability reports
 
 * "CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell":#CVE-2016-5017 
+* "CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)":#CVE-2017-5637
 
 
 h3(#CVE-2016-5017). CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell
@@ -73,3 +74,31 @@ This issue was discovered by Lyon Yang (
 References:
 "Apache ZooKeeper Security Page":https://zookeeper.apache.org/security.html
 
+
+h3(#CVE-2017-5637). CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)
+
+Severity: moderate
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+ZooKeeper 3.4.0 to 3.4.9
+ZooKeeper 3.5.0 to 3.5.2
+The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected
+
+Note: The 3.5 branch is still beta at this time.
+
+Description:
+Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused,
+which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.
+
+Mitigation:
+This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall.
+Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable "wchp/wchc” commands
+by default.
+- ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch.
+- ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.
+
+References
+[1] https://issues.apache.org/jira/browse/ZOOKEEPER-2693