zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rakesh R (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Fri, 24 Feb 2017 04:37:44 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15881932#comment-15881932

Rakesh R commented on ZOOKEEPER-2693:

I'm trying an attempt to unblock 3.4.10 and 3.5.3 releases. Following are few proposals to
make the release happen by including the reported issue.

*3.4.10 requirement:*
Expose whitelist configuration with the default values,
Also, properly documenting the {{Publicly accessible deployment}} part from the current PR_179

*3.5.3 requirement:*
IMHO, there are two possible proposals:
# +Proposal-1)+
       Expose whitelist configuration with the default values,
        Also, recommend users to use admin server rather than 4lw cmds considering that 4lw
will deprecated in future.
       Then, later in 3.5.4, we could make this whitelist <empty> and while deprecating
will replace srvr, isro calls with better solution. That way, we would get enough time to
think about better solutions.
# +Proposal-2)+
Expose whitelist configuration with the empty default value,
       * (a) How about zkServer.sh usage of "srvr" can be achieved like, 
       Introduce a new admin API, admin#getServerStatus("host:port"), which will return running
stat of that server(probably, the same string format where srvr command is returning)
       * (b) Client#pingRwServer=> Just a plain thought, probably, readonly client code
can internally tries to establish new client session with all other servers round robin fashion.
Then, check whether that the connected server is in {{rw}} mode and act upon.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>         Attachments: ZOOKEEPER-2693-01.patch
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.

This message was sent by Atlassian JIRA

View raw message