From dev-return-82342-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Fri Aug 9 16:40:41 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 94ABB18063F for ; Fri, 9 Aug 2019 18:40:41 +0200 (CEST) Received: (qmail 39143 invoked by uid 500); 9 Aug 2019 16:40:40 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 39123 invoked by uid 99); 9 Aug 2019 16:40:40 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Aug 2019 16:40:40 +0000 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 1A69E845B; Fri, 9 Aug 2019 16:40:40 +0000 (UTC) Received: by mail-wm1-f48.google.com with SMTP id u25so6160217wmc.4; Fri, 09 Aug 2019 09:40:40 -0700 (PDT) X-Gm-Message-State: APjAAAUexsp6zh4nNBpx0ZAn8SRfgJ3viu0leCYRgYKPWWltBg+wDiWQ MzZ7H+E7szf2FDTWxakkK03m3B/1zvxd/Vs3NiU= X-Google-Smtp-Source: APXvYqwxuL+tlcJWs7w3MXQHzDVM4IWQjzGtOVSdZVzhRTpIXIDYHqmsSE17qSSR2Kg8799KHAJ6g+se7mgXVHcdL+Y= X-Received: by 2002:a1c:f009:: with SMTP id a9mr11616468wmb.32.1565368839236; Fri, 09 Aug 2019 09:40:39 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Patrick Hunt Date: Fri, 9 Aug 2019 09:40:03 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: An Apache Zookeeper Security Vulnerability To: DevZooKeeper Cc: UserZooKeeper Content-Type: multipart/alternative; boundary="0000000000009af69b058fb1d542" --0000000000009af69b058fb1d542 Content-Type: text/plain; charset="UTF-8" On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli wrote: > Those points do not seem a security issue > > Agree. First off the data is not sensitive. Also it's debug level and logged on the server. See https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation although in this case debug is not the default - user would actively have to turn this on. Patrick > > Enrico > > > Il ven 9 ago 2019, 17:52 Fu, Xiaoqin ha scritto: > > > Dear developers: > > I am a Ph.D. student at Washington State University. I applied > > dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). > > And then I find a security vulnerability, that exists from 3.4.11-3.4.14 > > and 3.5.5, from tainted paths. > > > > Possible information leakage from FileTxnSnapLog to log without LOG > > control LOG.isDebugEnabled(): > > In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement > > LOG.debug don't have LOG controls: > > public void processTransaction(TxnHeader hdr,DataTree dt, > > Map sessions, Record txn) > > throws KeeperException.NoNodeException { > > ...... > > if (rc.err != Code.OK.intValue()) { > > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType() > > + ", error: " + rc.err + ", path: " + rc.path); > > } > > ...... > > } > > > > Sensitive information about hdr type or rc path may be leaked. The > > conditional statement LOG.isDebugEnabled() should be added: > > public void processTransaction(TxnHeader hdr,DataTree dt, > > Map sessions, Record txn) > > throws KeeperException.NoNodeException { > > ...... > > if (rc.err != Code.OK.intValue()) { > > if (LOG.isDebugEnabled()) > > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType() > > + ", error: " + rc.err + ", path: " + rc.path); > > } > > ...... > > } > > Please help me confirm it and give it a CVE ID. > > > > Thank you very much! > > Yours sincerely > > Xiaoqin Fu > > > > > --0000000000009af69b058fb1d542--