zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Fri, 17 Feb 2017 20:12:41 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872443#comment-15872443
] 

ASF GitHub Bot commented on ZOOKEEPER-2693:
-------------------------------------------

Github user hanm commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/179#discussion_r101838329
  
    --- Diff: src/java/main/org/apache/zookeeper/server/NIOServerCnxn.java ---
    @@ -479,7 +479,7 @@ private boolean checkFourLetterWord(final SelectionKey k, final int
len)
             // We take advantage of the limited size of the length to look
             // for cmds. They are all 4-bytes which fits inside of an int
             String cmd = FourLetterCommands.getCmdMapView().get(len);
    -        if (cmd == null) {
    +        if (cmd == null || !FourLetterCommands.getWhiteListedCmdView().contains(cmd))
{
    --- End diff --
    
    I think the original comment was not clear but I think it is a good catch - instead of
return false here we return true because the semantic of checkFourLetterWord is we only return
false if 4lw is not found, and in that case the caller will think this is a client message
and proceed allocate buffer etc work (iiuc that was what the "it should be processed in that
way only" meant.).


> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message