zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Mon, 27 Feb 2017 05:52:45 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15885182#comment-15885182
] 

ASF GitHub Bot commented on ZOOKEEPER-2693:
-------------------------------------------

Github user rakeshadr commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/179#discussion_r103139365
  
    --- Diff: src/java/main/org/apache/zookeeper/server/command/FourLetterCommands.java ---
    @@ -216,6 +216,10 @@ public static boolean isEnabled(String command) {
                         whiteListedCommands.add(cmd.trim());
                     }
                 }
    +            // It is sad that isro and srvr are used by ZooKeeper itself. Need fix this
    +            // before deprecating 4lw.
    +            whiteListedCommands.add("isro");
    --- End diff --
    
    I've few comments, please see:
    
    comment-1) I agree that these commands are very much needed for ZK functionality and cannot
be disabled. I hope you have coded with that point in mind. In general, default values can
be overridden, but here these are mandatory values. Can we document conveying these thoughts.
Presently the documentation says that `"The default value is empty, which disables all Four
Letter Words command."`
    
    comment-2) Say, user keeps `4lw.commands.whitelist=<empty>`, then `System.getProperty(ZOOKEEPER_4LW_COMMANDS_WHITELIST)`
will be null and these two commands will not be added to `whiteListedCommands`, right?


> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>         Attachments: ZOOKEEPER-2693-01.patch
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message