zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Norbert Kalmar <nkal...@cloudera.com.INVALID>
Subject Re: An Apache Zookeeper Security Vulnerability
Date Sat, 10 Aug 2019 07:31:06 GMT
Hello Xiaoqin,

My understanding is that log guards is used for performance reasons. I
don't see how it can prevent information leakage.

I'd also like to add, that please use the security mailing list first if
you think you found a CVE. - security@zookeeper.apache.org
More info here:
https://zookeeper.apache.org/security.html

Thank you!

Regards,
Norbert

On Sat, Aug 10, 2019 at 1:31 AM Patrick Hunt <phunt@apache.org> wrote:

> On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli <eolivelli@gmail.com>
> wrote:
>
> > Those points do not seem a security issue
> >
> >
> Agree. First off the data is not sensitive. Also it's debug level and
> logged on the server. See
> https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation
> although in this case debug is not the default - user would actively have
> to turn this on.
>
> Patrick
>
>
> >
> > Enrico
> >
> >
> > Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xiaoqin.fu@wsu.edu> ha scritto:
> >
> > > Dear developers:
> > >      I am a Ph.D. student at Washington State University. I applied
> > > dynamic taint analyzer (distTaint) to Apache Zookeeper (version
> 3.4.11).
> > > And then I find a security vulnerability, that exists from
> 3.4.11-3.4.14
> > > and 3.5.5, from tainted paths.
> > >
> > > Possible information leakage from FileTxnSnapLog to log without LOG
> > > control LOG.isDebugEnabled():
> > > In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the
> statement
> > > LOG.debug don't have LOG controls:
> > >     public void processTransaction(TxnHeader hdr,DataTree dt,
> > >             Map<Long, Integer> sessions, Record txn)
> > >         throws KeeperException.NoNodeException {
> > > ......
> > >         if (rc.err != Code.OK.intValue()) {
> > >             LOG.debug("Ignoring processTxn failure hdr:" +
> hdr.getType()
> > >                     + ", error: " + rc.err + ", path: " + rc.path);
> > >         }
> > > ......
> > >     }
> > >
> > > Sensitive information about hdr type or rc path may be leaked. The
> > > conditional statement LOG.isDebugEnabled() should be added:
> > >     public void processTransaction(TxnHeader hdr,DataTree dt,
> > >             Map<Long, Integer> sessions, Record txn)
> > >         throws KeeperException.NoNodeException {
> > > ......
> > >         if (rc.err != Code.OK.intValue()) {
> > >         if (LOG.isDebugEnabled())
> > > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> > >                     + ", error: " + rc.err + ", path: " + rc.path);
> > >         }
> > > ......
> > >     }
> > >     Please help me confirm it and give it a CVE ID.
> > >
> > >     Thank you very much!
> > >     Yours sincerely
> > >     Xiaoqin Fu
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message