zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Wed, 15 Feb 2017 04:31:41 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867227#comment-15867227

Michael Han commented on ZOOKEEPER-2693:

bq. I don't think we can go with an all/nothing approach, many users would still want to be
able to monitor their system using existing 4lw based infra.
[~phunt] The current patch is for branch 3.5, where we have AdminServer, which is designed
to replace four letter words. That is why the patch provides only an option to completely
disable the entire four letter words instead of only disabling a specific subset. The AdminServer
will make four letter words irrelevant and because AdminServer does not share the ZooKeeper
client port (which sometimes have to be exposed publicly), admin of ensemble protected AdminServer
port with firewall without interrupting ZooKeeper clients. Besides, this seems a good opportunity
to push for deprecating four letter words in favor of AdminServer which is around for quite
a while given the security concerns. 

Do you think we still need four letter words turn on by default for the coming 3.5 release
/ master branch?

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.

This message was sent by Atlassian JIRA

View raw message