zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: Question on mitigation for CVE-2018-8012 "Apache ZooKeeper Quorum Peer mutual authentication"
Date Sat, 26 May 2018 18:45:05 GMT
On Fri, May 25, 2018 at 8:38 AM Philip Lowman <plowman@workforcesoftware.com>
wrote:

> Hello,
>
> In regards to the CVE-2018-8012
> <https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E>
advisory
> posted on Monday, it contains the following statement “Alternatively ensure
> the ensemble election/quorum communication is protected by a firewall as
> this will mitigate the issue”.
>
> I just wanted to ask (or hopefully just confirm), does this communication
> *exclusively* travel over the “leader election port”?
>
> In example configuration files the leader election port (see server.x in
> the docs
> <http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_configuration>)
is
> typically defined to be port 3888.
>
> server.1=zoo1:2888:3888
> server.2=zoo2:2888:3888
> server.3=zoo3:2888:3888
>
> Hi Philip,

The firewall would need to protect both the election and quorum ports -
those are the two numbers at the end of the server.# configuration
parameters. See
http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_clusterOptions
for more details on that config option.

Patrick



> Thanks
>
>
>
>
>
>
> * Philip Lowman Sr. Software Security Engineer   WorkForce Software |
> 38705 Seven Mile Road, Livonia, MI 48152 T: +1 734-742-3610 |
> E: plowman@workforcesoftware.com <plowman@workforcesoftware.com> *
>
>
>
>
> This message is intended exclusively for the individual or entity to which
> it is addressed. This communication may contain information that is
> proprietary, privileged, confidential or otherwise legally exempt from
> disclosure. If you are not the named addressee, or have been inadvertently
> and erroneously referenced in the address line, you are not authorized to
> read, print, retain, copy or disseminate this message or any part of it. If
> you have received this message in error, please notify the sender
> immediately by e-mail and delete all copies of the message. (ID m031214)
>

Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message