zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Tue, 21 Feb 2017 22:25:44 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876870#comment-15876870

Michael Han commented on ZOOKEEPER-2693:

bq. IIUC, these are two problems -> case-1) restrict 4lw cmd execution as few cmds taking
too much time for execution. case-2) protection against overuse because it creates many connections.

Yes, this is a good summary. Two problems - one is to fix the obvious exploits related to
watcher 4lw and the other is to prevent abuse of 4lw in general. This JIRA's scope is targeting
the first one, which fixes immediate issue and unblocks two important ongoing releases. We
can easily get out of scope if we want to completely fix the security of the 4lw which was
not designed with security in mind while balancing compatibility and minimize disrupt to existing
users, so I'd recommend we stick to the current scope (unless as I mentioned earlier folks
feel strongly against the white list approach.).

bq. could you create a PR for branch-3.4
I will once I get this landed in 3.5. PR to 3.4 will not be much different, but I'd like to
finalize this PR first to avoid potential duplicated efforts.

Meanwhile, I'll create a set of follow JIRAs to address concerns of abusing 4lw in general:
* A new config option to turn on / off 4lw w/o a middle ground (sure we can use empty white
list for this purpose but a separate option is better IMO from the point of view of deprecating
a feature.).
* 4lw rate limiting including concurrent command runs configuration.
* Fix client / script to avoid using 4lw - it is unfortunate ZK itself depends on 4lw.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>         Attachments: ZOOKEEPER-2693-01.patch
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.

This message was sent by Atlassian JIRA

View raw message