zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Han <h...@cloudera.com>
Subject Re: ZooKeeper DOS exploit published
Date Wed, 15 Feb 2017 23:54:49 GMT
I have a patch for https://issues.apache.org/jira/browse/ZOOKEEPER-2693 (pull
request 179 <https://github.com/apache/zookeeper/pull/179>). Feedback will
be highly appreciated. It would be good that we can get this in a few days
as it is both a security fix and a blocker for two ongoing releases
(3.4.10/3.5.3).

On Mon, Feb 13, 2017 at 7:37 PM, Patrick Hunt <phunt@apache.org> wrote:

> Hi folks. The following exploit was recently published on the web and has
> come to our attention, it details a ZooKeeper DOS attack against certain
> four letter words (4lw), possible when the client port is exposed to
> untrusted actors:
>
> https://webcache.googleusercontent.com/search?
> q=cache:_CNGIz10PRYJ:https://
> www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
>
> Typically we address security issues on the security@ private mailing
> list,
> publishing a fixed release before publicly releasing the exploit, however
> in this case given the information is publicly available already we decided
> there's little point to keeping it on security@ exclusively.
> http://zookeeper.apache.org/security.html
>
> A JIRA has been created to track this issue:
> https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> we expect to include a patch to address in 3.4.10 and 3.5.3.
>
> Patrick
>



-- 
Cheers
Michael.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message