zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject ZooKeeper DOS exploit published
Date Tue, 14 Feb 2017 03:37:06 GMT
Hi folks. The following exploit was recently published on the web and has
come to our attention, it details a ZooKeeper DOS attack against certain
four letter words (4lw), possible when the client port is exposed to
untrusted actors:

https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://
www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us

Typically we address security issues on the security@ private mailing list,
publishing a fixed release before publicly releasing the exploit, however
in this case given the information is publicly available already we decided
there's little point to keeping it on security@ exclusively.
http://zookeeper.apache.org/security.html

A JIRA has been created to track this issue:
https://issues.apache.org/jira/browse/ZOOKEEPER-2693
we expect to include a patch to address in 3.4.10 and 3.5.3.

Patrick

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message