zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohammad Arshad (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Sat, 18 Feb 2017 14:44:44 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873191#comment-15873191
] 

Mohammad Arshad commented on ZOOKEEPER-2693:
--------------------------------------------

bq. 3.4: ruok,srvr,crst,srst,isro,mntr, 3.5: <empty>

There are some 4lw commands which ZooKeeper is using by itself
For example
# srvr is used in zookeeper/bin/zkServer.sh status
# isro is used in org.apache.zookeeper.ClientCnxn.SendThread.pingRwServer()

If we do not enable those commands by default, related funtionalities will not work, so we
have to include in the default list
But if we enable, I do not know if whole purpose of this fix is defeated because the attacker
can call the these commands, even though we  are not doing much work in these commands but
still the connections will be created for every call.
Any comments on which option to choose?

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message