zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Xiaoqin Fu <xiaoqin...@gmail.com>
Subject Re: Two Apache Zookeeper security vulnerabilities
Date Tue, 06 Aug 2019 01:24:47 GMT
Dear Patrick Hunt:
     I opened two issues in the JIRA:
https://issues.apache.org/jira/browse/ZOOKEEPER-3488 and
https://issues.apache.org/jira/browse/ZOOKEEPER-3489
     I am very sorry that I cannot reply
https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b
<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
     Please confirm them and give them CVE IDs.


    Thank you very much!
    Yours sincerely
    Xiaoqin Fu

On Mon, Aug 5, 2019 at 6:23 PM Xiaoqin Fu <xiaoqin.fu@gmail.com> wrote:

> Dear Patrick Hunt:
>      I opened two issues in the JIRA:
> https://issues.apache.org/jira/browse/ZOOKEEPER-3488 and
> https://issues.apache.org/jira/browse/ZOOKEEPER-3489
>      I am very sorry that I cannot reply
> https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
>      Please confirm them and give them CVE IDs.
>
>
>     Thank you very much!
>     Yours sincerely
>     Xiaoqin Fu
>
>
> On Fri, Aug 2, 2019 at 11:20 AM Patrick Hunt <phunt@apache.org> wrote:
>
>> I know. :-) Once a vulnerability has been publicly disclosed there is no
>> value in handling it on the security@ list - that's for undisclosed
>> vulnerabilities to be handled in a responsible (private) manner until a fix
>> can be released to end users. You can see the process here:
>> https://www.apache.org/security/committers.html
>>
>> Regards,
>>
>> Patrick
>>
>> On Fri, Aug 2, 2019 at 10:24 AM Xiaoqin Fu <xiaoqin.fu@gmail.com> wrote:
>>
>>> Dear Patrick Hunt:
>>>
>>> https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b@<user.zookeeper.apache.org>
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
was
>>> disclosed by me.
>>>
>>>    Thank you very much!
>>>    Yours sincerely
>>>    Xiaoqin Fu
>>>
>>>
>>> On Fri, Aug 2, 2019 at 11:04 AM Patrick Hunt <phunt@apache.org> wrote:
>>>
>>>> Hi Xiaoqin Fu. Thank you for the report. The Apache Software Foundation
>>>> and the Apache ZooKeeper project takes security issues very seriously.
>>>>
>>>> Unfortunately this issue has already been publicly disclosed on both
>>>> the dev and user lists:
>>>>
>>>> https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b@<user.zookeeper.apache.org>
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
>>>> as such please follow our standard processes documented here:
>>>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_ZOOKEEPER_HowToContribute&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=vhQg3XrZS-o0UME9EYvtoCerG-ZNtJhTtbvo1M_MasM&e=>
-
>>>> the community will work with you to get the issue resolved.
>>>>
>>>> Regards,
>>>>
>>>> Patrick
>>>>
>>>>
>>>> On Fri, Aug 2, 2019 at 3:35 AM Fu, Xiaoqin <xiaoqin.fu@wsu.edu> wrote:
>>>>
>>>>> Dear developers:
>>>>>    I am a Ph.D. student at Washington State University. I applied
>>>>> dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
>>>>> And then I find several bugs, that exist from 3.4.11-3.4.14 and 3.5.5,
from
>>>>> tainted paths:
>>>>>
>>>>> 1. In org.apache.zookeeper.server.ZooKeeperServer:
>>>>>     public ZooKeeperServer(FileTxnSnapLog txnLogFactory, int tickTime,
>>>>>             int minSessionTimeout, int maxSessionTimeout, ZKDatabase
>>>>> zkDb) {
>>>>> ......
>>>>>         LOG.info("Created server with tickTime " + tickTime
>>>>>                 + " minSessionTimeout " + getMinSessionTimeout()
>>>>>                 + " maxSessionTimeout " + getMaxSessionTimeout()
>>>>>                 + " datadir " + txnLogFactory.getDataDir()
>>>>>                 + " snapdir " + txnLogFactory.getSnapDir());
>>>>> ......
>>>>>     }
>>>>> public void finishSessionInit(ServerCnxn cnxn, boolean valid)
>>>>> ......
>>>>>             if (!valid) {
>>>>>                 LOG.info("Invalid session 0x"
>>>>>                         + Long.toHexString(cnxn.getSessionId())
>>>>>                         + " for client "
>>>>>                         + cnxn.getRemoteSocketAddress()
>>>>>                         + ", probably expired");
>>>>>                 cnxn.sendBuffer(ServerCnxnFactory.closeConn);
>>>>>             } else {
>>>>>                 LOG.info("Established session 0x"
>>>>>                         + Long.toHexString(cnxn.getSessionId())
>>>>>                         + " with negotiated timeout " +
>>>>> cnxn.getSessionTimeout()
>>>>>                         + " for client "
>>>>>                         + cnxn.getRemoteSocketAddress());
>>>>>                 cnxn.enableRecv();
>>>>>             }
>>>>> ......
>>>>> }
>>>>> Sensitive information about DataDir, SnapDir, SessionId and
>>>>> RemoteSocketAddress may be leaked. I think that it is better to add
>>>>> LOG.isInfoEnabled() conditional statements:
>>>>>     public ZooKeeperServer(FileTxnSnapLog txnLogFactory, int tickTime,
>>>>>             int minSessionTimeout, int maxSessionTimeout, ZKDatabase
>>>>> zkDb) {
>>>>> ......
>>>>> if (LOG.isInfoEnabled())
>>>>> LOG.info("Created server with tickTime " + tickTime
>>>>>                 + " minSessionTimeout " + getMinSessionTimeout()
>>>>>                 + " maxSessionTimeout " + getMaxSessionTimeout()
>>>>>                 + " datadir " + txnLogFactory.getDataDir()
>>>>>                 + " snapdir " + txnLogFactory.getSnapDir());
>>>>> ......
>>>>>     }
>>>>> public void finishSessionInit(ServerCnxn cnxn, boolean valid) {
>>>>> ......
>>>>>             if (!valid) {
>>>>> if (LOG.isInfoEnabled())
>>>>> LOG.info("Invalid session 0x"
>>>>>                         + Long.toHexString(cnxn.getSessionId())
>>>>>                         + " for client "
>>>>>                         + cnxn.getRemoteSocketAddress()
>>>>>                         + ", probably expired");
>>>>>                 cnxn.sendBuffer(ServerCnxnFactory.closeConn);
>>>>>             } else {
>>>>> if (LOG.isInfoEnabled())
>>>>> LOG.info("Established session 0x"
>>>>>                         + Long.toHexString(cnxn.getSessionId())
>>>>>                         + " with negotiated timeout " +
>>>>> cnxn.getSessionTimeout()
>>>>>                         + " for client "
>>>>>                         + cnxn.getRemoteSocketAddress());
>>>>>                 cnxn.enableRecv();
>>>>>             }
>>>>> ......
>>>>> }
>>>>> The LOG.isInfoEnabled() conditional statement already exists in
>>>>> org.apache.zookeeper.server.persistence.FileTxnLog:
>>>>> public synchronized boolean append(TxnHeader hdr, Record txn) throws
>>>>> IOException {
>>>>> { ......
>>>>>    if(LOG.isInfoEnabled()){
>>>>> LOG.info("Creating new log file: " + Util.makeLogName(hdr.getZxid()));
>>>>>    }
>>>>> ......
>>>>> }
>>>>> 2. In org.apache.zookeeper.ClientCnxn$SendThread,
>>>>>         void readResponse(ByteBuffer incomingBuffer) throws
>>>>> IOException {
>>>>>             ......
>>>>> LOG.warn("Got server path " + event.getPath()
>>>>> + " which is too short for chroot path "
>>>>> + chrootPath);
>>>>> ......
>>>>>         }
>>>>> Sensitive information about event path and chroot path may be leaked.
>>>>> The LOG.isWarnEnabled() conditional statement should be added:
>>>>>     void readResponse(ByteBuffer incomingBuffer) throws IOException {
>>>>>             ......
>>>>> if (LOG.isWarnEnabled())
>>>>> LOG.warn("Got server path " + event.getPath()
>>>>> + " which is too short for chroot path "
>>>>> + chrootPath);
>>>>> ......
>>>>>         }
>>>>>
>>>>>     Please help me confirm them and give them CVE IDs.
>>>>>
>>>>>     Thank you very much!
>>>>>     Yours sincerely
>>>>>     Xiaoqin Fu
>>>>>
>>>>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message