zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Xiaoqin Fu <xiaoqin...@gmail.com>
Subject An Apache Zookeeper Security Vulnerability
Date Tue, 13 Aug 2019 02:40:42 GMT
Dear developers:
     I am a Ph.D. student at Washington State University. I applied dynamic
taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I
find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5,
from tainted paths.

An information leakage from FileTxnSnapLog to log:
In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
LOG.debug don't have LOG controls:
    public void processTransaction(TxnHeader hdr,DataTree dt,
            Map<Long, Integer> sessions, Record txn)
        throws KeeperException.NoNodeException {
......
        if (rc.err != Code.OK.intValue()) {
            LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
                    + ", error: " + rc.err + ", path: " + rc.path);
        }
......
    }

Sensitive information about hdr type or rc path was leaked. The conditional
statement LOG.isDebugEnabled() should be added:
    public void processTransaction(TxnHeader hdr,DataTree dt,
            Map<Long, Integer> sessions, Record txn)
        throws KeeperException.NoNodeException {
......
        if (rc.err != Code.OK.intValue()) {
        if (LOG.isDebugEnabled())
LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
                    + ", error: " + rc.err + ", path: " + rc.path);
        }
......
    }
In JIRA, it is at https://issues.apache.org/jira/browse/ZOOKEEPER-3504
    Please help me confirm it.

    Thank you very much!
    Yours sincerely
    Xiaoqin Fu

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message