zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: An Apache Zookeeper Security Vulnerability
Date Fri, 09 Aug 2019 16:40:03 GMT
On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli <eolivelli@gmail.com> wrote:

> Those points do not seem a security issue
>
>
Agree. First off the data is not sensitive. Also it's debug level and
logged on the server. See
https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation
although in this case debug is not the default - user would actively have
to turn this on.

Patrick


>
> Enrico
>
>
> Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xiaoqin.fu@wsu.edu> ha scritto:
>
> > Dear developers:
> >      I am a Ph.D. student at Washington State University. I applied
> > dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
> > And then I find a security vulnerability, that exists from 3.4.11-3.4.14
> > and 3.5.5, from tainted paths.
> >
> > Possible information leakage from FileTxnSnapLog to log without LOG
> > control LOG.isDebugEnabled():
> > In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> > LOG.debug don't have LOG controls:
> >     public void processTransaction(TxnHeader hdr,DataTree dt,
> >             Map<Long, Integer> sessions, Record txn)
> >         throws KeeperException.NoNodeException {
> > ......
> >         if (rc.err != Code.OK.intValue()) {
> >             LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> >                     + ", error: " + rc.err + ", path: " + rc.path);
> >         }
> > ......
> >     }
> >
> > Sensitive information about hdr type or rc path may be leaked. The
> > conditional statement LOG.isDebugEnabled() should be added:
> >     public void processTransaction(TxnHeader hdr,DataTree dt,
> >             Map<Long, Integer> sessions, Record txn)
> >         throws KeeperException.NoNodeException {
> > ......
> >         if (rc.err != Code.OK.intValue()) {
> >         if (LOG.isDebugEnabled())
> > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> >                     + ", error: " + rc.err + ", path: " + rc.path);
> >         }
> > ......
> >     }
> >     Please help me confirm it and give it a CVE ID.
> >
> >     Thank you very much!
> >     Yours sincerely
> >     Xiaoqin Fu
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message