Return-Path: <dev-return-56313-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 88AE2200C1D
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 16 Feb 2017 18:29:55 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 874BC160B61; Thu, 16 Feb 2017 17:29:55 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id D317A160B52
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 16 Feb 2017 18:29:54 +0100 (CET)
Received: (qmail 88664 invoked by uid 500); 16 Feb 2017 17:29:49 -0000
Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:dev@zookeeper.apache.org>
List-Id: <dev.zookeeper.apache.org>
Reply-To: dev@zookeeper.apache.org
Delivered-To: mailing list dev@zookeeper.apache.org
Received: (qmail 88648 invoked by uid 99); 16 Feb 2017 17:29:49 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Feb 2017 17:29:49 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 72A6CC18AF
	for <dev@zookeeper.apache.org>; Thu, 16 Feb 2017 17:29:48 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -1.198
X-Spam-Level: 
X-Spam-Status: No, score=-1.198 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RP_MATCHES_RCVD=-2.999, URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id xViM9H79Sl7I for <dev@zookeeper.apache.org>;
	Thu, 16 Feb 2017 17:29:47 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 52CC45F54F
	for <dev@zookeeper.apache.org>; Thu, 16 Feb 2017 17:29:47 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 8CAEEE05F0
	for <dev@zookeeper.apache.org>; Thu, 16 Feb 2017 17:29:43 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 756D924121
	for <dev@zookeeper.apache.org>; Thu, 16 Feb 2017 17:29:42 +0000 (UTC)
Date: Thu, 16 Feb 2017 17:29:42 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: dev@zookeeper.apache.org
Message-ID: <JIRA.13042793.1487043193000.101233.1487266182479@Atlassian.JIRA>
In-Reply-To: <JIRA.13042793.1487043193000@Atlassian.JIRA>
References: <JIRA.13042793.1487043193000@Atlassian.JIRA> <JIRA.13042793.1487043193979@jira-lw-us.apache.org>
Subject: [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four
 letter words (4lw)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 16 Feb 2017 17:29:55 -0000


    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15870316#comment-15870316 ] 

ASF GitHub Bot commented on ZOOKEEPER-2693:
-------------------------------------------

Github user rakeshadr commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/179#discussion_r101576900
  
    --- Diff: src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml ---
    @@ -1155,6 +1155,30 @@ server.3=zoo3:2888:3888</programlisting>
                 </listitem>
               </varlistentry>
     
    +          <varlistentry>
    +            <term>4lw.commands.whitelist</term>
    +
    +            <listitem>
    +              <para>(Java system property: <emphasis
    --- End diff --
    
    >>This new configuration option is provided as both zoo.cfg option and system properties so users can encode the white list in zoo.cfg and that is the recommended approach as documented in the admin manual
    
    Do you meant, you are supporting both options - users can either configure the list in `zoo.cfg` or set as `system properties`? If yes, I'm OK to this approach.  But in the code I could see that server reads the value from `System.getProperty(ZOOKEEPER_4LW_COMMANDS_WHITELIST)` and it is not reading the value from `zoo.cfg`


> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port - typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)