zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Thu, 16 Feb 2017 17:29:42 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15870316#comment-15870316
] 

ASF GitHub Bot commented on ZOOKEEPER-2693:
-------------------------------------------

Github user rakeshadr commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/179#discussion_r101576900
  
    --- Diff: src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml ---
    @@ -1155,6 +1155,30 @@ server.3=zoo3:2888:3888</programlisting>
                 </listitem>
               </varlistentry>
     
    +          <varlistentry>
    +            <term>4lw.commands.whitelist</term>
    +
    +            <listitem>
    +              <para>(Java system property: <emphasis
    --- End diff --
    
    >>This new configuration option is provided as both zoo.cfg option and system properties
so users can encode the white list in zoo.cfg and that is the recommended approach as documented
in the admin manual
    
    Do you meant, you are supporting both options - users can either configure the list in
`zoo.cfg` or set as `system properties`? If yes, I'm OK to this approach.  But in the code
I could see that server reads the value from `System.getProperty(ZOOKEEPER_4LW_COMMANDS_WHITELIST)`
and it is not reading the value from `zoo.cfg`


> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message