You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by bu...@apache.org on 2017/10/09 17:27:04 UTC
svn commit: r1019298 - in /websites/staging/zookeeper/trunk/content: ./
security.html
Author: buildbot
Date: Mon Oct 9 17:27:04 2017
New Revision: 1019298
Log:
Staging update by buildbot for zookeeper
Modified:
websites/staging/zookeeper/trunk/content/ (props changed)
websites/staging/zookeeper/trunk/content/security.html
Propchange: websites/staging/zookeeper/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Oct 9 17:27:04 2017
@@ -1 +1 @@
-1801745
+1811586
Modified: websites/staging/zookeeper/trunk/content/security.html
==============================================================================
--- websites/staging/zookeeper/trunk/content/security.html (original)
+++ websites/staging/zookeeper/trunk/content/security.html Mon Oct 9 17:27:04 2017
@@ -63,6 +63,7 @@
<ul>
<li><a href="#CVE-2016-5017"><span class="caps">CVE</span>-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a> </li>
+<li><a href="#CVE-2017-5637" title="4lw"><span class="caps">CVE</span>-2017-5637: <span class="caps">DOS </span>attack on wchp/wchc four letter words</a></li>
</ul>
@@ -111,6 +112,35 @@ This issue was discovered by Lyon Yang (
<p>References:<br />
<a href="https://zookeeper.apache.org/security.html">Apache ZooKeeper Security Page</a></p>
+
+
+<h3 id="CVE-2017-5637"><span class="caps">CVE</span>-2017-5637: <span class="caps">DOS </span>attack on wchp/wchc four letter words (4lw)</h3>
+
+<p>Severity: moderate</p>
+
+<p>Vendor:<br />
+The Apache Software Foundation</p>
+
+<p>Versions Affected:<br />
+ZooKeeper 3.4.0 to 3.4.9<br />
+ZooKeeper 3.5.0 to 3.5.2<br />
+The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
+
+<p>Note: The 3.5 branch is still beta at this time.</p>
+
+<p>Description:<br />
+Two four letter word commands âwchp/wchcâ are <span class="caps">CPU </span>intensive and could cause spike of <span class="caps">CPU </span>utilization on ZooKeeper server if abused,<br />
+which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.</p>
+
+<p>Mitigation:<br />
+This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall.<br />
+Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable "wchp/wchcâ commands<br />
+by default.<br />
+- ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch.<br />
+- ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.</p>
+
+<p>References<br />
+<sup class="footnote"><a href="#fn1">1</a></sup> https://issues.apache.org/jira/browse/ZOOKEEPER-2693</p>
</div>
</td>
<td valign="top">