zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Mollitor <dam6...@gmail.com>
Subject Re: An Apache Zookeeper Security Vulnerability
Date Tue, 13 Aug 2019 03:17:11 GMT
If logging is higher than DEBUG level, the message will not print.  The
Log.debug() method will check the log level internally.  Adding the
external check is simply a potential performance optimization.

Thanks.

On Mon, Aug 12, 2019, 10:41 PM Xiaoqin Fu <xiaoqin.fu@gmail.com> wrote:

> Dear developers:
>      I am a Ph.D. student at Washington State University. I applied dynamic
> taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I
> find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5,
> from tainted paths.
>
> An information leakage from FileTxnSnapLog to log:
> In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> LOG.debug don't have LOG controls:
>     public void processTransaction(TxnHeader hdr,DataTree dt,
>             Map<Long, Integer> sessions, Record txn)
>         throws KeeperException.NoNodeException {
> ......
>         if (rc.err != Code.OK.intValue()) {
>             LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
>                     + ", error: " + rc.err + ", path: " + rc.path);
>         }
> ......
>     }
>
> Sensitive information about hdr type or rc path was leaked. The conditional
> statement LOG.isDebugEnabled() should be added:
>     public void processTransaction(TxnHeader hdr,DataTree dt,
>             Map<Long, Integer> sessions, Record txn)
>         throws KeeperException.NoNodeException {
> ......
>         if (rc.err != Code.OK.intValue()) {
>         if (LOG.isDebugEnabled())
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
>                     + ", error: " + rc.err + ", path: " + rc.path);
>         }
> ......
>     }
> In JIRA, it is at https://issues.apache.org/jira/browse/ZOOKEEPER-3504
>     Please help me confirm it.
>
>     Thank you very much!
>     Yours sincerely
>     Xiaoqin Fu
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message