From user-return-12048-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Tue Aug 13 02:41:05 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 442DC180637 for ; Tue, 13 Aug 2019 04:41:05 +0200 (CEST) Received: (qmail 61892 invoked by uid 500); 13 Aug 2019 02:41:03 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 61868 invoked by uid 99); 13 Aug 2019 02:41:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Aug 2019 02:41:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 0F1FCC0733; Tue, 13 Aug 2019 02:41:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.8 X-Spam-Level: * X-Spam-Status: No, score=1.8 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id xPJzVZeJfMhM; Tue, 13 Aug 2019 02:40:59 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::236; helo=mail-lj1-x236.google.com; envelope-from=xiaoqin.fu@gmail.com; receiver= Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 577C67D3FB; Tue, 13 Aug 2019 02:40:59 +0000 (UTC) Received: by mail-lj1-x236.google.com with SMTP id x18so3672134ljh.1; Mon, 12 Aug 2019 19:40:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=nUrHhqczkxqtRuHcWXWFWd9Oqp2bFLEvOpSdKzE6WXs=; b=KPuGY09Pr9ETZk7N5p5oNGjvJ+B+e9COWZDPRnUUG7JoleCbA/o939VMijcMhHH3cG nYB/abKhj+1rP/zIyn0xGy5c/GKOPM2GMufGYChdc7/YJJEMMho2siSIhQqpNFbi7aBN UPjFzugmq4cxEabfPDX/sbgx+LubflrXxDCOJ8cymOcSnGOmfuKj2//athAJxt34j7vF hpfgtGomSkP/Gt8of+Ek6FN6HFKCryBQij93oW0vBhJ64i7mMoMOzKFLC1DJRKPyuUhs K4wKN6t3XZPws0q2iYgnyE8DLC6Y8MsCK7RehRw4VM7fdKqOEajvTXZdnllXPlPNsqOQ VgFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=nUrHhqczkxqtRuHcWXWFWd9Oqp2bFLEvOpSdKzE6WXs=; b=Dxg6pfdalaEZfMJA29n0eOyU3KBh67FXiimH40wJ1y5RFe3RNmYaFx/K9rhm0vuqmL IFw489j7bKVNCClBq/6n+5mF5xU2itcW9E5DkP3acYKdpBEY0Oxe/mpXqBT727ewaQy8 y+ZTP2bJrGL0jlBX/AfeI+8//Qrp6PEaXKPazRQvY5GNLIkH2/qI3voeq5pRw8jkZ2oH BWSG5RcO22wBYAlcLhhHDmgAv9enATbEgMloAlxVz6+YUkBBvbrqE+5Ng9W8Py0NqdmP 0hJnHTHl/fwod2KML+EwUV/tOZJQMNdMwPwyKQK1riC+yWSiH8kG6AJsyBewa6JDi174 KVng== X-Gm-Message-State: APjAAAVAJnDp6OVnGmHA4aiFZVbKHXssMe635JTkupEegQLD3+kdvh9e MB0N/WgucrFdinzE7VTI/xiUqXanSB8lVTX5yBmb59QB X-Google-Smtp-Source: APXvYqynUJ/F0oVjItMU82dnfDtF/BjcIYH885noxfKm9uSpfAx2PbxnAKcDc7a2mgHmIYm/P3oQEMVu0k8njDhheoc= X-Received: by 2002:a2e:9a58:: with SMTP id k24mr20686405ljj.165.1565664053048; Mon, 12 Aug 2019 19:40:53 -0700 (PDT) MIME-Version: 1.0 From: Xiaoqin Fu Date: Mon, 12 Aug 2019 19:40:42 -0700 Message-ID: Subject: An Apache Zookeeper Security Vulnerability To: dev@zookeeper.apache.org, user@zookeeper.apache.org Content-Type: multipart/alternative; boundary="000000000000b83995058ff691c4" --000000000000b83995058ff691c4 Content-Type: text/plain; charset="UTF-8" Dear developers: I am a Ph.D. student at Washington State University. I applied dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5, from tainted paths. An information leakage from FileTxnSnapLog to log: In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement LOG.debug don't have LOG controls: public void processTransaction(TxnHeader hdr,DataTree dt, Map sessions, Record txn) throws KeeperException.NoNodeException { ...... if (rc.err != Code.OK.intValue()) { LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType() + ", error: " + rc.err + ", path: " + rc.path); } ...... } Sensitive information about hdr type or rc path was leaked. The conditional statement LOG.isDebugEnabled() should be added: public void processTransaction(TxnHeader hdr,DataTree dt, Map sessions, Record txn) throws KeeperException.NoNodeException { ...... if (rc.err != Code.OK.intValue()) { if (LOG.isDebugEnabled()) LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType() + ", error: " + rc.err + ", path: " + rc.path); } ...... } In JIRA, it is at https://issues.apache.org/jira/browse/ZOOKEEPER-3504 Please help me confirm it. Thank you very much! Yours sincerely Xiaoqin Fu --000000000000b83995058ff691c4--