zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick Hunt (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)
Date Wed, 15 Feb 2017 15:33:41 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15868035#comment-15868035
] 

Patrick Hunt commented on ZOOKEEPER-2693:
-----------------------------------------

That makes sense to me (scoping). What will the default list of 4lw be?

3.4: ruok,srvr,crst,srst,isro,mntr
3.5: <empty>

Note: the full list of supported commands is different from 3.4 to 3.5 (possibly trunk?) -
we'll need to ensure the docs reflect correctly.

Do you think that makes sense? From what I can see these are low cost lookups. Some of the
items I left off are more expensive or questionable in terms of whether they should be exposed
if a firewall is not used.

Or should 3.4 include all commands aside from the two identified in this jira? I'm thinking
be safe (smaller list), document this clearly in the docs and in the release notes, and allow
the users interesting in exposing more 4lw to do so. Downside is that users may be impacted,
i.e. would have to update production configurations.

What should we call this? zookeeper.4lw.commands.whitelist ?

We'll need to verify the list; 4 letters, from the possible set of commands available.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port
- typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client
port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to
trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message