Return-Path: <dev-return-56200-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 1D72B200C1C
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 15 Feb 2017 16:33:53 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 1B33F160B5E; Wed, 15 Feb 2017 15:33:53 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 65C18160B46
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 15 Feb 2017 16:33:52 +0100 (CET)
Received: (qmail 8915 invoked by uid 500); 15 Feb 2017 15:33:51 -0000
Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:dev@zookeeper.apache.org>
List-Id: <dev.zookeeper.apache.org>
Reply-To: dev@zookeeper.apache.org
Delivered-To: mailing list dev@zookeeper.apache.org
Received: (qmail 8904 invoked by uid 99); 15 Feb 2017 15:33:51 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Feb 2017 15:33:51 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 07877186112
	for <dev@zookeeper.apache.org>; Wed, 15 Feb 2017 15:33:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level: 
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RP_MATCHES_RCVD=-2.999] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id D0mQN6-zmteU for <dev@zookeeper.apache.org>;
	Wed, 15 Feb 2017 15:33:47 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id CF3E25FBE6
	for <dev@zookeeper.apache.org>; Wed, 15 Feb 2017 15:33:46 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id D07C5E0798
	for <dev@zookeeper.apache.org>; Wed, 15 Feb 2017 15:33:42 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id E146724132
	for <dev@zookeeper.apache.org>; Wed, 15 Feb 2017 15:33:41 +0000 (UTC)
Date: Wed, 15 Feb 2017 15:33:41 +0000 (UTC)
From: "Patrick Hunt (JIRA)" <jira@apache.org>
To: dev@zookeeper.apache.org
Message-ID: <JIRA.13042793.1487043193000.88105.1487172821920@Atlassian.JIRA>
In-Reply-To: <JIRA.13042793.1487043193000@Atlassian.JIRA>
References: <JIRA.13042793.1487043193000@Atlassian.JIRA> <JIRA.13042793.1487043193979@jira-lw-us.apache.org>
Subject: [jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four
 letter words (4lw)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 15 Feb 2017 15:33:53 -0000


    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15868035#comment-15868035 ] 

Patrick Hunt commented on ZOOKEEPER-2693:
-----------------------------------------

That makes sense to me (scoping). What will the default list of 4lw be?

3.4: ruok,srvr,crst,srst,isro,mntr
3.5: <empty>

Note: the full list of supported commands is different from 3.4 to 3.5 (possibly trunk?) - we'll need to ensure the docs reflect correctly.

Do you think that makes sense? From what I can see these are low cost lookups. Some of the items I left off are more expensive or questionable in terms of whether they should be exposed if a firewall is not used.

Or should 3.4 include all commands aside from the two identified in this jira? I'm thinking be safe (smaller list), document this clearly in the docs and in the release notes, and allow the users interesting in exposing more 4lw to do so. Downside is that users may be impacted, i.e. would have to update production configurations.

What should we call this? zookeeper.4lw.commands.whitelist ?

We'll need to verify the list; 4 letters, from the possible set of commands available.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port - typically 2181. The following POC attack was recently published on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to the client port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)