zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick Hunt (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Wed, 15 Feb 2017 05:40:41 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867293#comment-15867293

Patrick Hunt commented on ZOOKEEPER-2693:

bq. The configuration option of disabling 4lw or a subset of it seems an ultimate escape hatch

yes, this was my thought as well. 

Your argument around having the rate limiter makes sense, that's one of the things I was thinking
about this morning when I originally recommended it. Now I'm also leaning toward the "whitelist"
approach because I think it's a very clean solution to the problem. What I mean is no on/off
config, just a single configuration listing the whitelisted 4lw. If the list is empty it's
off (the map is empty), otw the user can select the commands they would like to expose. 

If we implement something for 3.4 the same b/w compat argument should hold. i.e. if we do
rate limiting in 3.4 we should also have the same functionality in 3.5.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.

This message was sent by Atlassian JIRA

View raw message