You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Flavio Junqueira <fp...@apache.org> on 2014/04/22 18:32:00 UTC
ZK CVE
Some of you may have noticed that there is a CVE entry for ZK:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
I've never perceived ZK as a project particularly strong on the security
side, but I was wondering how folks in the list feel about creating a
jira and working something out.
-Flavio
Re: ZK CVE
Posted by Patrick Hunt <ph...@apache.org>.
Agree. We should fix this. Would be worthy of a 3.4.7 imo. I'm having
some trouble understanding the problem though.
afaict from the linked bug/reports it seems that "An admin user's
password appeared in plaintext in binary log files." Do they mean to
say in the txnlog? Or just in the log4j log?
The bug report here https://bugzilla.redhat.com/show_bug.cgi?id=1067265
says that the issue has been addressed, however I can't tell what they
did to address it.
Anyone have more insight?
Patrick
On Tue, Apr 22, 2014 at 10:15 AM, Camille Fournier <ca...@apache.org> wrote:
> We should at least address it in some way. A jira is probably in order.
>
>
> On Tue, Apr 22, 2014 at 12:32 PM, Flavio Junqueira <fp...@apache.org> wrote:
>
>> Some of you may have noticed that there is a CVE entry for ZK:
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>
>> I've never perceived ZK as a project particularly strong on the security
>> side, but I was wondering how folks in the list feel about creating a jira
>> and working something out.
>>
>> -Flavio
>>
Re: ZK CVE
Posted by Camille Fournier <ca...@apache.org>.
We should at least address it in some way. A jira is probably in order.
On Tue, Apr 22, 2014 at 12:32 PM, Flavio Junqueira <fp...@apache.org> wrote:
> Some of you may have noticed that there is a CVE entry for ZK:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>
> I've never perceived ZK as a project particularly strong on the security
> side, but I was wondering how folks in the list feel about creating a jira
> and working something out.
>
> -Flavio
>
Re: ZK CVE
Posted by Ted Dunning <te...@gmail.com>.
Encryption of data at rest is a good thing.
It should be an orthogonal issue relative to wire level encryption.
Sent from my iPhone
> On Apr 22, 2014, at 12:47, Patrick Hunt <ph...@apache.org> wrote:
>
> Hm. Well the txnlogs didn't make much sense to me. If you have that
> level of access, well they you've got access to everything regardless.
> Shouldn't/wouldn't those files be protected by permissions on the
> datadir?
>
> Also, which "password" are we storing in the txnlog? The session
> password or truly the admin password.
>
> Patrick
>
> On Tue, Apr 22, 2014 at 11:04 AM, Flavio Junqueira
> <fp...@yahoo.com> wrote:
>> I've created ZK-1917 for this.
>>
>> I think it is referring to the txn logs. If so, SSL encryption alone isn't going to do it.
>>
>> -Flavio
>>
>>> On 22 Apr 2014, at 18:55, Patrick Hunt <ph...@apache.org> wrote:
>>>
>>>> On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
>>>> That's a great idea.
>>>>
>>>> The link talks about one specific vulnerability (password being logged
>>>> in a cleartext :( ), but I'm interested in securing ZooKeeper in
>>>> general. I've seen projects staying away from ZooKeeper because it
>>>> doesn't support SSL, for example.
>>>>
>>>
>>> That was one of the reasons why we were trying to add netty support -
>>> it would greatly simplify enabling SSL encryption.
>>>
>>> Patrick
>>>
>>>>
>>>>> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fp...@apache.org> wrote:
>>>>> Some of you may have noticed that there is a CVE entry for ZK:
>>>>>
>>>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>>>>
>>>>> I've never perceived ZK as a project particularly strong on the security
>>>>> side, but I was wondering how folks in the list feel about creating a jira
>>>>> and working something out.
>>>>>
>>>>> -Flavio
>>
RE: ZK CVE
Posted by Flavio Junqueira <fp...@yahoo.com>.
I think I know what they are talking about. Let me try to reproduce it, it might give us a bit more clarity on the matter.
-Flavio
-----Original Message-----
From: Patrick Hunt [mailto:phunt@apache.org]
Sent: Tuesday, April 22, 2014 7:47 PM
To: DevZooKeeper
Cc: Michi Mutsuzaki
Subject: Re: ZK CVE
Hm. Well the txnlogs didn't make much sense to me. If you have that level of access, well they you've got access to everything regardless.
Shouldn't/wouldn't those files be protected by permissions on the datadir?
Also, which "password" are we storing in the txnlog? The session password or truly the admin password.
Patrick
On Tue, Apr 22, 2014 at 11:04 AM, Flavio Junqueira <fp...@yahoo.com> wrote:
> I've created ZK-1917 for this.
>
> I think it is referring to the txn logs. If so, SSL encryption alone isn't going to do it.
>
> -Flavio
>
> On 22 Apr 2014, at 18:55, Patrick Hunt <ph...@apache.org> wrote:
>
>> On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
>>> That's a great idea.
>>>
>>> The link talks about one specific vulnerability (password being
>>> logged in a cleartext :( ), but I'm interested in securing ZooKeeper
>>> in general. I've seen projects staying away from ZooKeeper because
>>> it doesn't support SSL, for example.
>>>
>>
>> That was one of the reasons why we were trying to add netty support -
>> it would greatly simplify enabling SSL encryption.
>>
>> Patrick
>>
>>>
>>> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fp...@apache.org> wrote:
>>>> Some of you may have noticed that there is a CVE entry for ZK:
>>>>
>>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>>>
>>>> I've never perceived ZK as a project particularly strong on the
>>>> security side, but I was wondering how folks in the list feel about
>>>> creating a jira and working something out.
>>>>
>>>> -Flavio
>
Re: ZK CVE
Posted by Patrick Hunt <ph...@apache.org>.
Hm. Well the txnlogs didn't make much sense to me. If you have that
level of access, well they you've got access to everything regardless.
Shouldn't/wouldn't those files be protected by permissions on the
datadir?
Also, which "password" are we storing in the txnlog? The session
password or truly the admin password.
Patrick
On Tue, Apr 22, 2014 at 11:04 AM, Flavio Junqueira
<fp...@yahoo.com> wrote:
> I've created ZK-1917 for this.
>
> I think it is referring to the txn logs. If so, SSL encryption alone isn't going to do it.
>
> -Flavio
>
> On 22 Apr 2014, at 18:55, Patrick Hunt <ph...@apache.org> wrote:
>
>> On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
>>> That's a great idea.
>>>
>>> The link talks about one specific vulnerability (password being logged
>>> in a cleartext :( ), but I'm interested in securing ZooKeeper in
>>> general. I've seen projects staying away from ZooKeeper because it
>>> doesn't support SSL, for example.
>>>
>>
>> That was one of the reasons why we were trying to add netty support -
>> it would greatly simplify enabling SSL encryption.
>>
>> Patrick
>>
>>>
>>> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fp...@apache.org> wrote:
>>>> Some of you may have noticed that there is a CVE entry for ZK:
>>>>
>>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>>>
>>>> I've never perceived ZK as a project particularly strong on the security
>>>> side, but I was wondering how folks in the list feel about creating a jira
>>>> and working something out.
>>>>
>>>> -Flavio
>
Re: ZK CVE
Posted by Patrick Hunt <ph...@apache.org>.
Great! Could you also inquire on how they fixed this?
Patrick
On Wed, Apr 23, 2014 at 4:31 PM, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
> I commented on the bugzilla ticket.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1067265
>
>
> On Wed, Apr 23, 2014 at 4:05 PM, Patrick Hunt <ph...@apache.org> wrote:
>> I scanned through the client and server code, I don't see where we log
>> the password to the log4j log. I'm not as familiar with the sasl code
>> though.
>>
>> Did anyone reach out to the OP on that issue? Perhaps we can reach out
>> and get more detail (both on the original issue and how it was fixed).
>>
>> Patrick
>>
>> On Wed, Apr 23, 2014 at 11:14 AM, Andrew Purtell <ap...@apache.org> wrote:
>>> If you like. The protoype on that JIRA has more than a single configuration
>>> toggle, but another revision could do that. In lieu of a simple
>>> configuration change there could be a chapter on setting up filesystem
>>> encryption on Linux and Windows. This wouldn't protect against leaks due to
>>> improper filesystem level permissions.
>>>
>>>
>>> On Wed, Apr 23, 2014 at 10:58 AM, Michi Mutsuzaki <mi...@cs.stanford.edu>wrote:
>>>
>>>> I'm all for encrypting txn logs/snapshots, but shouldn't we use some
>>>> existing file system encryption instead of implementing our own?
>>>>
>>>> On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <ap...@apache.org>
>>>> wrote:
>>>> > ZOOKEEPER-1688
>>>> >
>>>> > On Tuesday, April 22, 2014, Flavio Junqueira <fp...@yahoo.com>
>>>> wrote:
>>>> >
>>>> >> I've created ZK-1917 for this.
>>>> >>
>>>> >> I think it is referring to the txn logs. If so, SSL encryption alone
>>>> isn't
>>>> >> going to do it.
>>>> >>
>>>> >> -Flavio
>>>> >>
>>>> >> On 22 Apr 2014, at 18:55, Patrick Hunt <phunt@apache.org<javascript:;>>
>>>> >> wrote:
>>>> >>
>>>> >> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <
>>>> michi@cs.stanford.edu<javascript:;>>
>>>> >> wrote:
>>>> >> >> That's a great idea.
>>>> >> >>
>>>> >> >> The link talks about one specific vulnerability (password being
>>>> logged
>>>> >> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in
>>>> >> >> general. I've seen projects staying away from ZooKeeper because it
>>>> >> >> doesn't support SSL, for example.
>>>> >> >>
>>>> >> >
>>>> >> > That was one of the reasons why we were trying to add netty support -
>>>> >> > it would greatly simplify enabling SSL encryption.
>>>> >> >
>>>> >> > Patrick
>>>> >> >
>>>> >> >>
>>>> >> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fpj@apache.org
>>>> <javascript:;>>
>>>> >> wrote:
>>>> >> >>> Some of you may have noticed that there is a CVE entry for ZK:
>>>> >> >>>
>>>> >> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>>> >> >>>
>>>> >> >>> I've never perceived ZK as a project particularly strong on the
>>>> >> security
>>>> >> >>> side, but I was wondering how folks in the list feel about creating
>>>> a
>>>> >> jira
>>>> >> >>> and working something out.
>>>> >> >>>
>>>> >> >>> -Flavio
>>>> >>
>>>> >>
>>>> >
>>>> > --
>>>> > Best regards,
>>>> >
>>>> > - Andy
>>>> >
>>>> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
>>>> > (via Tom White)
>>>>
>>>
>>>
>>>
>>> --
>>> Best regards,
>>>
>>> - Andy
>>>
>>> Problems worthy of attack prove their worth by hitting back. - Piet Hein
>>> (via Tom White)
Re: ZK CVE
Posted by Michi Mutsuzaki <mi...@cs.stanford.edu>.
I commented on the bugzilla ticket.
https://bugzilla.redhat.com/show_bug.cgi?id=1067265
On Wed, Apr 23, 2014 at 4:05 PM, Patrick Hunt <ph...@apache.org> wrote:
> I scanned through the client and server code, I don't see where we log
> the password to the log4j log. I'm not as familiar with the sasl code
> though.
>
> Did anyone reach out to the OP on that issue? Perhaps we can reach out
> and get more detail (both on the original issue and how it was fixed).
>
> Patrick
>
> On Wed, Apr 23, 2014 at 11:14 AM, Andrew Purtell <ap...@apache.org> wrote:
>> If you like. The protoype on that JIRA has more than a single configuration
>> toggle, but another revision could do that. In lieu of a simple
>> configuration change there could be a chapter on setting up filesystem
>> encryption on Linux and Windows. This wouldn't protect against leaks due to
>> improper filesystem level permissions.
>>
>>
>> On Wed, Apr 23, 2014 at 10:58 AM, Michi Mutsuzaki <mi...@cs.stanford.edu>wrote:
>>
>>> I'm all for encrypting txn logs/snapshots, but shouldn't we use some
>>> existing file system encryption instead of implementing our own?
>>>
>>> On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <ap...@apache.org>
>>> wrote:
>>> > ZOOKEEPER-1688
>>> >
>>> > On Tuesday, April 22, 2014, Flavio Junqueira <fp...@yahoo.com>
>>> wrote:
>>> >
>>> >> I've created ZK-1917 for this.
>>> >>
>>> >> I think it is referring to the txn logs. If so, SSL encryption alone
>>> isn't
>>> >> going to do it.
>>> >>
>>> >> -Flavio
>>> >>
>>> >> On 22 Apr 2014, at 18:55, Patrick Hunt <phunt@apache.org<javascript:;>>
>>> >> wrote:
>>> >>
>>> >> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <
>>> michi@cs.stanford.edu<javascript:;>>
>>> >> wrote:
>>> >> >> That's a great idea.
>>> >> >>
>>> >> >> The link talks about one specific vulnerability (password being
>>> logged
>>> >> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in
>>> >> >> general. I've seen projects staying away from ZooKeeper because it
>>> >> >> doesn't support SSL, for example.
>>> >> >>
>>> >> >
>>> >> > That was one of the reasons why we were trying to add netty support -
>>> >> > it would greatly simplify enabling SSL encryption.
>>> >> >
>>> >> > Patrick
>>> >> >
>>> >> >>
>>> >> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fpj@apache.org
>>> <javascript:;>>
>>> >> wrote:
>>> >> >>> Some of you may have noticed that there is a CVE entry for ZK:
>>> >> >>>
>>> >> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>> >> >>>
>>> >> >>> I've never perceived ZK as a project particularly strong on the
>>> >> security
>>> >> >>> side, but I was wondering how folks in the list feel about creating
>>> a
>>> >> jira
>>> >> >>> and working something out.
>>> >> >>>
>>> >> >>> -Flavio
>>> >>
>>> >>
>>> >
>>> > --
>>> > Best regards,
>>> >
>>> > - Andy
>>> >
>>> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
>>> > (via Tom White)
>>>
>>
>>
>>
>> --
>> Best regards,
>>
>> - Andy
>>
>> Problems worthy of attack prove their worth by hitting back. - Piet Hein
>> (via Tom White)
Re: ZK CVE
Posted by Patrick Hunt <ph...@apache.org>.
I scanned through the client and server code, I don't see where we log
the password to the log4j log. I'm not as familiar with the sasl code
though.
Did anyone reach out to the OP on that issue? Perhaps we can reach out
and get more detail (both on the original issue and how it was fixed).
Patrick
On Wed, Apr 23, 2014 at 11:14 AM, Andrew Purtell <ap...@apache.org> wrote:
> If you like. The protoype on that JIRA has more than a single configuration
> toggle, but another revision could do that. In lieu of a simple
> configuration change there could be a chapter on setting up filesystem
> encryption on Linux and Windows. This wouldn't protect against leaks due to
> improper filesystem level permissions.
>
>
> On Wed, Apr 23, 2014 at 10:58 AM, Michi Mutsuzaki <mi...@cs.stanford.edu>wrote:
>
>> I'm all for encrypting txn logs/snapshots, but shouldn't we use some
>> existing file system encryption instead of implementing our own?
>>
>> On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <ap...@apache.org>
>> wrote:
>> > ZOOKEEPER-1688
>> >
>> > On Tuesday, April 22, 2014, Flavio Junqueira <fp...@yahoo.com>
>> wrote:
>> >
>> >> I've created ZK-1917 for this.
>> >>
>> >> I think it is referring to the txn logs. If so, SSL encryption alone
>> isn't
>> >> going to do it.
>> >>
>> >> -Flavio
>> >>
>> >> On 22 Apr 2014, at 18:55, Patrick Hunt <phunt@apache.org<javascript:;>>
>> >> wrote:
>> >>
>> >> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <
>> michi@cs.stanford.edu<javascript:;>>
>> >> wrote:
>> >> >> That's a great idea.
>> >> >>
>> >> >> The link talks about one specific vulnerability (password being
>> logged
>> >> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in
>> >> >> general. I've seen projects staying away from ZooKeeper because it
>> >> >> doesn't support SSL, for example.
>> >> >>
>> >> >
>> >> > That was one of the reasons why we were trying to add netty support -
>> >> > it would greatly simplify enabling SSL encryption.
>> >> >
>> >> > Patrick
>> >> >
>> >> >>
>> >> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fpj@apache.org
>> <javascript:;>>
>> >> wrote:
>> >> >>> Some of you may have noticed that there is a CVE entry for ZK:
>> >> >>>
>> >> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>> >> >>>
>> >> >>> I've never perceived ZK as a project particularly strong on the
>> >> security
>> >> >>> side, but I was wondering how folks in the list feel about creating
>> a
>> >> jira
>> >> >>> and working something out.
>> >> >>>
>> >> >>> -Flavio
>> >>
>> >>
>> >
>> > --
>> > Best regards,
>> >
>> > - Andy
>> >
>> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
>> > (via Tom White)
>>
>
>
>
> --
> Best regards,
>
> - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)
Re: ZK CVE
Posted by Andrew Purtell <ap...@apache.org>.
If you like. The protoype on that JIRA has more than a single configuration
toggle, but another revision could do that. In lieu of a simple
configuration change there could be a chapter on setting up filesystem
encryption on Linux and Windows. This wouldn't protect against leaks due to
improper filesystem level permissions.
On Wed, Apr 23, 2014 at 10:58 AM, Michi Mutsuzaki <mi...@cs.stanford.edu>wrote:
> I'm all for encrypting txn logs/snapshots, but shouldn't we use some
> existing file system encryption instead of implementing our own?
>
> On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <ap...@apache.org>
> wrote:
> > ZOOKEEPER-1688
> >
> > On Tuesday, April 22, 2014, Flavio Junqueira <fp...@yahoo.com>
> wrote:
> >
> >> I've created ZK-1917 for this.
> >>
> >> I think it is referring to the txn logs. If so, SSL encryption alone
> isn't
> >> going to do it.
> >>
> >> -Flavio
> >>
> >> On 22 Apr 2014, at 18:55, Patrick Hunt <phunt@apache.org<javascript:;>>
> >> wrote:
> >>
> >> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <
> michi@cs.stanford.edu<javascript:;>>
> >> wrote:
> >> >> That's a great idea.
> >> >>
> >> >> The link talks about one specific vulnerability (password being
> logged
> >> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in
> >> >> general. I've seen projects staying away from ZooKeeper because it
> >> >> doesn't support SSL, for example.
> >> >>
> >> >
> >> > That was one of the reasons why we were trying to add netty support -
> >> > it would greatly simplify enabling SSL encryption.
> >> >
> >> > Patrick
> >> >
> >> >>
> >> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fpj@apache.org
> <javascript:;>>
> >> wrote:
> >> >>> Some of you may have noticed that there is a CVE entry for ZK:
> >> >>>
> >> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
> >> >>>
> >> >>> I've never perceived ZK as a project particularly strong on the
> >> security
> >> >>> side, but I was wondering how folks in the list feel about creating
> a
> >> jira
> >> >>> and working something out.
> >> >>>
> >> >>> -Flavio
> >>
> >>
> >
> > --
> > Best regards,
> >
> > - Andy
> >
> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
> > (via Tom White)
>
--
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)
Re: ZK CVE
Posted by Michi Mutsuzaki <mi...@cs.stanford.edu>.
I'm all for encrypting txn logs/snapshots, but shouldn't we use some
existing file system encryption instead of implementing our own?
On Wed, Apr 23, 2014 at 8:56 AM, Andrew Purtell <ap...@apache.org> wrote:
> ZOOKEEPER-1688
>
> On Tuesday, April 22, 2014, Flavio Junqueira <fp...@yahoo.com> wrote:
>
>> I've created ZK-1917 for this.
>>
>> I think it is referring to the txn logs. If so, SSL encryption alone isn't
>> going to do it.
>>
>> -Flavio
>>
>> On 22 Apr 2014, at 18:55, Patrick Hunt <phunt@apache.org <javascript:;>>
>> wrote:
>>
>> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <michi@cs.stanford.edu<javascript:;>>
>> wrote:
>> >> That's a great idea.
>> >>
>> >> The link talks about one specific vulnerability (password being logged
>> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in
>> >> general. I've seen projects staying away from ZooKeeper because it
>> >> doesn't support SSL, for example.
>> >>
>> >
>> > That was one of the reasons why we were trying to add netty support -
>> > it would greatly simplify enabling SSL encryption.
>> >
>> > Patrick
>> >
>> >>
>> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fpj@apache.org<javascript:;>>
>> wrote:
>> >>> Some of you may have noticed that there is a CVE entry for ZK:
>> >>>
>> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>> >>>
>> >>> I've never perceived ZK as a project particularly strong on the
>> security
>> >>> side, but I was wondering how folks in the list feel about creating a
>> jira
>> >>> and working something out.
>> >>>
>> >>> -Flavio
>>
>>
>
> --
> Best regards,
>
> - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)
Re: ZK CVE
Posted by Andrew Purtell <ap...@apache.org>.
ZOOKEEPER-1688
On Tuesday, April 22, 2014, Flavio Junqueira <fp...@yahoo.com> wrote:
> I've created ZK-1917 for this.
>
> I think it is referring to the txn logs. If so, SSL encryption alone isn't
> going to do it.
>
> -Flavio
>
> On 22 Apr 2014, at 18:55, Patrick Hunt <phunt@apache.org <javascript:;>>
> wrote:
>
> > On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <michi@cs.stanford.edu<javascript:;>>
> wrote:
> >> That's a great idea.
> >>
> >> The link talks about one specific vulnerability (password being logged
> >> in a cleartext :( ), but I'm interested in securing ZooKeeper in
> >> general. I've seen projects staying away from ZooKeeper because it
> >> doesn't support SSL, for example.
> >>
> >
> > That was one of the reasons why we were trying to add netty support -
> > it would greatly simplify enabling SSL encryption.
> >
> > Patrick
> >
> >>
> >> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fpj@apache.org<javascript:;>>
> wrote:
> >>> Some of you may have noticed that there is a CVE entry for ZK:
> >>>
> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
> >>>
> >>> I've never perceived ZK as a project particularly strong on the
> security
> >>> side, but I was wondering how folks in the list feel about creating a
> jira
> >>> and working something out.
> >>>
> >>> -Flavio
>
>
--
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)
Re: ZK CVE
Posted by Flavio Junqueira <fp...@yahoo.com>.
I've created ZK-1917 for this.
I think it is referring to the txn logs. If so, SSL encryption alone isn't going to do it.
-Flavio
On 22 Apr 2014, at 18:55, Patrick Hunt <ph...@apache.org> wrote:
> On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
>> That's a great idea.
>>
>> The link talks about one specific vulnerability (password being logged
>> in a cleartext :( ), but I'm interested in securing ZooKeeper in
>> general. I've seen projects staying away from ZooKeeper because it
>> doesn't support SSL, for example.
>>
>
> That was one of the reasons why we were trying to add netty support -
> it would greatly simplify enabling SSL encryption.
>
> Patrick
>
>>
>> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fp...@apache.org> wrote:
>>> Some of you may have noticed that there is a CVE entry for ZK:
>>>
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>>
>>> I've never perceived ZK as a project particularly strong on the security
>>> side, but I was wondering how folks in the list feel about creating a jira
>>> and working something out.
>>>
>>> -Flavio
Re: ZK CVE
Posted by Patrick Hunt <ph...@apache.org>.
On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
> That's a great idea.
>
> The link talks about one specific vulnerability (password being logged
> in a cleartext :( ), but I'm interested in securing ZooKeeper in
> general. I've seen projects staying away from ZooKeeper because it
> doesn't support SSL, for example.
>
That was one of the reasons why we were trying to add netty support -
it would greatly simplify enabling SSL encryption.
Patrick
>
> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fp...@apache.org> wrote:
>> Some of you may have noticed that there is a CVE entry for ZK:
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>>
>> I've never perceived ZK as a project particularly strong on the security
>> side, but I was wondering how folks in the list feel about creating a jira
>> and working something out.
>>
>> -Flavio
Re: ZK CVE
Posted by Michi Mutsuzaki <mi...@cs.stanford.edu>.
That's a great idea.
The link talks about one specific vulnerability (password being logged
in a cleartext :( ), but I'm interested in securing ZooKeeper in
general. I've seen projects staying away from ZooKeeper because it
doesn't support SSL, for example.
On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <fp...@apache.org> wrote:
> Some of you may have noticed that there is a CVE entry for ZK:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
>
> I've never perceived ZK as a project particularly strong on the security
> side, but I was wondering how folks in the list feel about creating a jira
> and working something out.
>
> -Flavio