From dev-return-81145-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Mon May 20 17:14:48 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id B63EE180627 for ; Mon, 20 May 2019 19:14:47 +0200 (CEST) Received: (qmail 93743 invoked by uid 500); 20 May 2019 17:14:43 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 93666 invoked by uid 99); 20 May 2019 17:14:43 -0000 Received: from Unknown (HELO mailrelay2-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 May 2019 17:14:43 +0000 Received: from [172.30.65.74] (unknown [185.63.45.212]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id A3AEC39A0; Mon, 20 May 2019 17:14:42 +0000 (UTC) From: Andor Molnar Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) Subject: [CVE-2019-0201] Information disclosure vulnerability in Apache ZooKeeper Message-Id: Date: Mon, 20 May 2019 19:14:40 +0200 Cc: security@zookeeper.apache.org, harrison@patchadvisor.com, Anne Brink To: user@zookeeper.apache.org, DevZooKeeper X-Mailer: Apple Mail (2.3445.104.8) CVE-2019-0201: Information disclosure vulnerability in Apache ZooKeeper =20 Severity: Critical =20 Vendor: The Apache Software Foundation =20 Versions Affected: ZooKeeper prior to 3.4.14, ZooKeeper 3.5.0-alpha = through 3.5.4-beta. The unsupported ZooKeeper 1.x through 3.3.x versions = may be also affected. =20 Description: ZooKeeper=E2=80=99s getACL() command doesn=E2=80=99t check = any permission when retrieves the ACLs of the requested node and returns = all information contained in the ACL Id field as plaintext string. = DigestAuthenticationProvider overloads the Id field with the hash value = that is used for user authentication. As a consequence, if Digest = Authentication is in use, the unsalted hash value will be disclosed by = getACL() request for unauthenticated or unprivileged users. =20 Mitigation: Use an authentication method other than Digest (e.g. = Kerberos) or upgrade to 3.4.14 or later (3.5.5 or later if on the 3.5 = branch). =20 Credit: This issue was identified by Harrison Neal = PatchAdvisor, Inc. =20 References: https://issues.apache.org/jira/browse/ZOOKEEPER-1392 =20