You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by bu...@apache.org on 2017/10/09 17:27:04 UTC

svn commit: r1019298 - in /websites/staging/zookeeper/trunk/content: ./ security.html

Author: buildbot
Date: Mon Oct  9 17:27:04 2017
New Revision: 1019298

Log:
Staging update by buildbot for zookeeper

Modified:
    websites/staging/zookeeper/trunk/content/   (props changed)
    websites/staging/zookeeper/trunk/content/security.html

Propchange: websites/staging/zookeeper/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Oct  9 17:27:04 2017
@@ -1 +1 @@
-1801745
+1811586

Modified: websites/staging/zookeeper/trunk/content/security.html
==============================================================================
--- websites/staging/zookeeper/trunk/content/security.html (original)
+++ websites/staging/zookeeper/trunk/content/security.html Mon Oct  9 17:27:04 2017
@@ -63,6 +63,7 @@
 
 <ul>
 <li><a href="#CVE-2016-5017"><span class="caps">CVE</span>-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a> </li>
+<li><a href="#CVE-2017-5637" title="4lw"><span class="caps">CVE</span>-2017-5637: <span class="caps">DOS </span>attack on wchp/wchc four letter words</a></li>
 </ul>
 
 
@@ -111,6 +112,35 @@ This issue was discovered by Lyon Yang (
 
 <p>References:<br />
 <a href="https://zookeeper.apache.org/security.html">Apache ZooKeeper Security Page</a></p>
+
+
+<h3 id="CVE-2017-5637"><span class="caps">CVE</span>-2017-5637: <span class="caps">DOS </span>attack on wchp/wchc four letter words (4lw)</h3>
+
+<p>Severity: moderate</p>
+
+<p>Vendor:<br />
+The Apache Software Foundation</p>
+
+<p>Versions Affected:<br />
+ZooKeeper 3.4.0 to 3.4.9<br />
+ZooKeeper 3.5.0 to 3.5.2<br />
+The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
+
+<p>Note: The 3.5 branch is still beta at this time.</p>
+
+<p>Description:<br />
+Two four letter word commands “wchp/wchc” are <span class="caps">CPU </span>intensive and could cause spike of <span class="caps">CPU </span>utilization on ZooKeeper server if abused,<br />
+which leads to the server unable to serve legitimate client requests. There is no known compromise which takes advantage of this vulnerability.</p>
+
+<p>Mitigation:<br />
+This affects ZooKeeper ensembles whose client port is publicly accessible, so it is recommended to protect ZooKeeper ensemble with firewall.<br />
+Documentation has also been updated to clarify on this point. In addition, a patch (ZOOKEEPER-2693) is provided to disable "wchp/wchc” commands<br />
+by default.<br />
+- ZooKeeper 3.4.x users should upgrade to 3.4.10 or apply the patch.<br />
+- ZooKeeper 3.5.x users should upgrade to 3.5.3 or apply the patch.</p>
+
+<p>References<br />
+<sup class="footnote"><a href="#fn1">1</a></sup> https://issues.apache.org/jira/browse/ZOOKEEPER-2693</p>
           </div>
         </td>
         <td valign="top">